Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA 5520 - IOS 8.3.1 - VPN LAN TO LAN

Hi guys, i have ASA 5520 with many VPN LAN To LAN and VPN Remote Access. There is a VPN Lan To Lan with this configuration :

 

192.168.1.10 ---------------------------------192.168.251.5 --------------------------------------------------192.168.198.8

Real IP                                                  IP SOURCE NAT                                                       IP DESTINATION NAT
(Server)                                                (ASA 5520)                                                               (REMOTE PEER)
(INSIDE - 192.168.0.0/22)                (INSIDE - SNAT 192.168.251.5)

Flow without translation : From 192.168.1.10/32 TO 192.168.198.8/32
Flow with translation : From 192.168.1.10/32 TO 192.168.198.8/32 -------------------> SERVER
                                    From 192.168.251.5/32 TO 192.168.198.8/32 ------------------> ASA
Flow without translation : From 192.168.198.8/32 TO 192.168.251.5/32 ---------------> REMOTE PEER
Flow with translation : From 192.168.251.5/32 TO 192.168.1.10/32 -------------------> ASA
 

Below the configuration :

access-group Traffico-Inbound-Outside in interface OUTSIDE
access-group Traffico-Outbound-Inside-Outside in interface INSIDE
access-list Traffico-Inbound-Outside extended permit ip any host 192.168.251.5
access-list Traffico-Outbound-Inside-Outside extended permit ip host 192.168.1.10 host 192.168.198.8

nat (INSIDE,OUTSIDE) source dynamic VPNL2LIdmNAT-192.168.1.10-SRC VPNL2LIdmNAT-IPSRC destination static VPNL2LIdmNAT-192.168.198.8-dst VPNL2LIdmNAT-192.168.198.8-dst
nat (INSIDE,OUTSIDE) source static VPNnonat-192.168.1.10-src VPNnonat-192.168.1.10-src destination static VPNnonat-192.168.198.8-dst VPNnonat-192.168.198.8-dst

access-list VPNL2LFilterIDM extended permit tcp host 192.168.198.8 range 1024 65535 host 192.168.251.5 eq 7002
access-list VPNL2LFilterIDM extended permit tcp host 192.168.198.8 eq 7002 host 192.168.251.5 range 1024 65535
access-list VPNL2LCryptoIDM extended permit ip host 192.168.251.5 host 192.168.198.8

crypto map outside_map 120 match address VPNL2LCryptoIDM
crypto map outside_map 120 set peer 81.208.86.190
crypto map outside_map 120 set transform-set IDMSet
crypto ipsec transform-set IDMSet esp-aes-256 esp-sha-hmac

tunnel-group 81.208.86.190 type ipsec-l2l
tunnel-group 81.208.86.190 general-attributes
 default-group-policy 81.208.86.190
tunnel-group 81.208.86.190 ipsec-attributes
 pre-shared-key *****

group-policy 81.208.86.190 internal
group-policy 81.208.86.190 attributes
 vpn-filter value VPNL2LFilterIDM

When the server 192.168.1.10 in the INSIDE network try to telnet 192.168.198.8 7002 is all ok. But when the 192.168.198.8 telnet the 192.168.251.5 in the log i see :

Oct 23 10:08:24 172.16.0.3 Oct 23 2014 10:08:24 IDC-CISCOFWUS-02 : %ASA-6-302014: Teardown TCP connection 227467 for OUTSIDE:192.168.198.8/42689 to OUTSIDE:192.168.251.5/7002 duration 0:00:00 bytes 0 Flow is a loopback
 

i tried to follow  link http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/ with this configuration :

nat (inside,outside) source static VPNnonat-192.168.1.10-src VPNL2LIdmNAT-IPSRC destination static VPNL2LIdmNAT-192.168.198.8-dst VPNnonat-192.168.1.10-src
object network VPNnonat-192.168.1.10-src
  nat (outside,inside) static 192.168.198.8
 

In this situation is not possible telnet 192.168.198.8 7002 from 192.168.1.10


 

 

 

 

 


 

115
Views
0
Helpful
0
Replies
CreatePlease to create content