Traffic from VPN IPsec to DMZ

Unanswered Question
Apr 14th, 2009
User Badges:

I have already configured IPSec VPN between router and ASA.

That is possible to reach hosts from remote location 192.168.201.0/24 via VPN to dmz-vlan13?


So I need traffic from 192.168.201.0/24 via VPN to be pated to the DMZ-13.


In log I found :

No translation group found for icmp src outside:192.168.201.2 dst dmz-vlan13:192.168.7.101 (type 8, code 0)


How is in such situation configure NAT/PAT?


Config partly:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.252

interface GigabitEthernet0/2.13

vlan 13

nameif dmz-vlan13-proc

security-level 40

ip address 192.168.224.74 255.255.255.252


access-list outside_access_in extended permit icmp any host gw-outside

access-list inside_nat0_outbound_1 extended permit ip iib-inside-network 255.0.0.0 ATM-Network-201 255.255.255.0

access-list dmz-vlan13-nat extended permit ip host 10.0.11.73 host 192.168.225.101

access-list dmz-vlan13-nat extended permit ip host 10.0.11.73 host 192.168.225.97

access-list dmz-vlan13-nat extended permit ip host 10.0.2.27 host 192.168.225.101

access-list dmz-vlan13-nat extended permit ip host 10.0.2.27 host 192.168.225.97

access-list dmz-vlan13-nat extended permit ip ATM-Network-201 255.255.255.0 host 192.168.7.101

access-list dmz-vlan13_access_in remark # Allow all ip from dmz-vlan13-proc - from any

access-list dmz-vlan13_access_in extended permit ip any any

access-list outside_1_cryptomap_1 extended permit ip iib-inside-network 255.0.0.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 iib-inside-network 255.0.0.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.7.0 255.255.255.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.224.0 255.255.255.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 192.168.224.0 255.255.255.0

global (outside) 1 interface

global (dmz-vlan13-proc) 2 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 2 access-list dmz-vlan13-nat

nat (inside) 1 iib-inside-network 255.255.0.0

static (dmz-vlan13-proc,inside) 192.168.225.97 10.0.11.97 netmask 255.255.255.255

static (dmz-vlan13-proc,inside) 192.168.225.101 192.168.7.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz-vlan13_access_in in interface dmz-vlan13-proc

route dmz-vlan13-proc 10.0.2.1 255.255.255.255 192.168.224.73 1

route dmz-vlan13-proc 10.0.11.97 255.255.255.255 192.168.224.73 1

route dmz-vlan13-proc 192.168.6.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.7.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.224.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.225.0 255.255.255.0 192.168.224.73 1

crypto ipsec transform-set ........

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap_1

crypto map outside_map0 1 set peer 1.1.1.1

[..]

crypto isakmp enable outside

crypto isakmp policy 1

[..]


Thanks a lot!



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
it-iibank Tue, 04/14/2009 - 06:39
User Badges:

Hi,

nat (dmz-vlan13-proc) 0 access-list dmz-over-ipsec

- that made zero nat, but I need PAT via

interface GigabitEthernet0/2.13

vlan 13

nameif dmz-vlan13-proc

security-level 40

ip address 192.168.224.74 255.255.255.252

...in that interface several networks are routed like 192.168.7.0/24 192.168.6.0/24 etc.

sdoremus33 Tue, 04/14/2009 - 11:43
User Badges:
  • Bronze, 100 points or more

If you have the access-list (src= 192.168.20.1.0- 24 network to dst= 1.1.1.2 outside interface ip address of the ASA device you could try and add the following


static (outside,dmz-vlan13) interface 1.1.1.2 netmask 255.255.255.255. HTH

Actions

This Discussion