Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Traffic from VPN IPsec to DMZ

I have already configured IPSec VPN between router and ASA.

That is possible to reach hosts from remote location 192.168.201.0/24 via VPN to dmz-vlan13?

So I need traffic from 192.168.201.0/24 via VPN to be pated to the DMZ-13.

In log I found :

No translation group found for icmp src outside:192.168.201.2 dst dmz-vlan13:192.168.7.101 (type 8, code 0)

How is in such situation configure NAT/PAT?

Config partly:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 1.1.1.2 255.255.255.252

interface GigabitEthernet0/2.13

vlan 13

nameif dmz-vlan13-proc

security-level 40

ip address 192.168.224.74 255.255.255.252

access-list outside_access_in extended permit icmp any host gw-outside

access-list inside_nat0_outbound_1 extended permit ip iib-inside-network 255.0.0.0 ATM-Network-201 255.255.255.0

access-list dmz-vlan13-nat extended permit ip host 10.0.11.73 host 192.168.225.101

access-list dmz-vlan13-nat extended permit ip host 10.0.11.73 host 192.168.225.97

access-list dmz-vlan13-nat extended permit ip host 10.0.2.27 host 192.168.225.101

access-list dmz-vlan13-nat extended permit ip host 10.0.2.27 host 192.168.225.97

access-list dmz-vlan13-nat extended permit ip ATM-Network-201 255.255.255.0 host 192.168.7.101

access-list dmz-vlan13_access_in remark # Allow all ip from dmz-vlan13-proc - from any

access-list dmz-vlan13_access_in extended permit ip any any

access-list outside_1_cryptomap_1 extended permit ip iib-inside-network 255.0.0.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 iib-inside-network 255.0.0.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.7.0 255.255.255.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.224.0 255.255.255.0 ATM-Network-201 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip ATM-Network-201 255.255.255.0 192.168.224.0 255.255.255.0

global (outside) 1 interface

global (dmz-vlan13-proc) 2 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 2 access-list dmz-vlan13-nat

nat (inside) 1 iib-inside-network 255.255.0.0

static (dmz-vlan13-proc,inside) 192.168.225.97 10.0.11.97 netmask 255.255.255.255

static (dmz-vlan13-proc,inside) 192.168.225.101 192.168.7.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group dmz-vlan13_access_in in interface dmz-vlan13-proc

route dmz-vlan13-proc 10.0.2.1 255.255.255.255 192.168.224.73 1

route dmz-vlan13-proc 10.0.11.97 255.255.255.255 192.168.224.73 1

route dmz-vlan13-proc 192.168.6.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.7.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.224.0 255.255.255.0 192.168.224.73 1

route dmz-vlan13-proc 192.168.225.0 255.255.255.0 192.168.224.73 1

crypto ipsec transform-set ........

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap_1

crypto map outside_map0 1 set peer 1.1.1.1

[..]

crypto isakmp enable outside

crypto isakmp policy 1

[..]

Thanks a lot!

3 REPLIES

Re: Traffic from VPN IPsec to DMZ

Add the remote VPN network to the outside_1_cryptomap_1 access-list.

add :-

access-list dmz-over-ipsec permit ip <> <>

nat (dmz-vlan13-proc) 0 access-list dmz-over-ipsec

HTH>

New Member

Re: Traffic from VPN IPsec to DMZ

Hi,

nat (dmz-vlan13-proc) 0 access-list dmz-over-ipsec

- that made zero nat, but I need PAT via

interface GigabitEthernet0/2.13

vlan 13

nameif dmz-vlan13-proc

security-level 40

ip address 192.168.224.74 255.255.255.252

...in that interface several networks are routed like 192.168.7.0/24 192.168.6.0/24 etc.

New Member

Re: Traffic from VPN IPsec to DMZ

If you have the access-list (src= 192.168.20.1.0- 24 network to dst= 1.1.1.2 outside interface ip address of the ASA device you could try and add the following

static (outside,dmz-vlan13) interface 1.1.1.2 netmask 255.255.255.255. HTH

415
Views
0
Helpful
3
Replies