Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Walter Astori
Walter Astori
Community Member
‎10-24-2014 02:00 AM
‎10-24-2014 02:00 AM

ASA 5520 - IOS 8.3.1 - VPN LAN TO LAN

Hi guys, i have ASA 5520 with many VPN LAN To LAN and VPN Remote Access. There is a VPN Lan To Lan with this configuration :

 

192.168.1.10 ---------------------------------192.168.251.5 --------------------------------------------------192.168.198.8

Real IP                                                  IP SOURCE NAT                                                       IP DESTINATION NAT
(Server)                                                (ASA 5520)                                                               (REMOTE PEER)
(INSIDE - 192.168.0.0/22)                (INSIDE - SNAT 192.168.251.5)

Flow without translation : From 192.168.1.10/32 TO 192.168.198.8/32
Flow with translation : From 192.168.1.10/32 TO 192.168.198.8/32 -------------------> SERVER
                                    From 192.168.251.5/32 TO 192.168.198.8/32 ------------------> ASA
Flow without translation : From 192.168.198.8/32 TO 192.168.251.5/32 ---------------> REMOTE PEER
Flow with translation : From 192.168.251.5/32 TO 192.168.1.10/32 -------------------> ASA
 

Below the configuration :

access-group Traffico-Inbound-Outside in interface OUTSIDE
access-group Traffico-Outbound-Inside-Outside in interface INSIDE
access-list Traffico-Inbound-Outside extended permit ip any host 192.168.251.5
access-list Traffico-Outbound-Inside-Outside extended permit ip host 192.168.1.10 host 192.168.198.8

nat (INSIDE,OUTSIDE) source dynamic VPNL2LIdmNAT-192.168.1.10-SRC VPNL2LIdmNAT-IPSRC destination static VPNL2LIdmNAT-192.168.198.8-dst VPNL2LIdmNAT-192.168.198.8-dst
nat (INSIDE,OUTSIDE) source static VPNnonat-192.168.1.10-src VPNnonat-192.168.1.10-src destination static VPNnonat-192.168.198.8-dst VPNnonat-192.168.198.8-dst

access-list VPNL2LFilterIDM extended permit tcp host 192.168.198.8 range 1024 65535 host 192.168.251.5 eq 7002
access-list VPNL2LFilterIDM extended permit tcp host 192.168.198.8 eq 7002 host 192.168.251.5 range 1024 65535
access-list VPNL2LCryptoIDM extended permit ip host 192.168.251.5 host 192.168.198.8

crypto map outside_map 120 match address VPNL2LCryptoIDM
crypto map outside_map 120 set peer 81.208.86.190
crypto map outside_map 120 set transform-set IDMSet
crypto ipsec transform-set IDMSet esp-aes-256 esp-sha-hmac

tunnel-group 81.208.86.190 type ipsec-l2l
tunnel-group 81.208.86.190 general-attributes
 default-group-policy 81.208.86.190
tunnel-group 81.208.86.190 ipsec-attributes
 pre-shared-key *****

group-policy 81.208.86.190 internal
group-policy 81.208.86.190 attributes
 vpn-filter value VPNL2LFilterIDM

When the server 192.168.1.10 in the INSIDE network try to telnet 192.168.198.8 7002 is all ok. But when the 192.168.198.8 telnet the 192.168.251.5 in the log i see :

Oct 23 10:08:24 172.16.0.3 Oct 23 2014 10:08:24 IDC-CISCOFWUS-02 : %ASA-6-302014: Teardown TCP connection 227467 for OUTSIDE:192.168.198.8/42689 to OUTSIDE:192.168.251.5/7002 duration 0:00:00 bytes 0 Flow is a loopback
 

i tried to follow  link http://www.packetu.com/2012/01/02/asa-vpn-with-address-overlap/ with this configuration :

nat (inside,outside) source static VPNnonat-192.168.1.10-src VPNL2LIdmNAT-IPSRC destination static VPNL2LIdmNAT-192.168.198.8-dst VPNnonat-192.168.1.10-src
object network VPNnonat-192.168.1.10-src
  nat (outside,inside) static 192.168.198.8
 

In this situation is not possible telnet 192.168.198.8 7002 from 192.168.1.10


 

 

 

 

 


 

Labels:
0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
115
Views
0
Helpful
0
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
75
36
75
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
25
2
25
All Blogs