04-29-2014 02:23 AM
Hello,
I have two offises, central and removed, with external IP addresses. They are connected with site to site vpn, local network is working fine, then NAT is disable, but then there is no internet access, then I enabling NAT internet is working fine, but then there is no access to the local network.
Where could be the problem?
There is config:
ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name lietuvosdujos.lt
object network LAN
subnet 192.168.204.0 255.255.255.0
description Local Area Network
object network LD_Lanai
subnet 192.168.0.0 255.255.0.0
description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
vpn-filter value vpn
vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: end
Solved! Go to Solution.
04-29-2014 04:20 AM
Two things are off here depending on you requirements.
first you are encrypting all traffic from the 192.168.204.0/24 network...do you intend to send all traffic from this subnet over the VPN? If not, specify the remote subnet instead of using any in the crypto ACL.
object network LAN
subnet 192.168.204.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object LAN any
Second, you do not have a NAT exempt statement so that encrypted traffic is not to be NATed. this statement would look something like the following:
object network LAN
subnet 192.168.204.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
--
Please remember to select a correct answer and rate
04-29-2014 02:47 AM
Hi maziusas1,
what do you mean by local??? from one office to the other office is working fine when nat is disabled?
Bcoz when you do NAT internet should work....
Incase if you want internet and site to site to work....
you need to create the rule in the other site towards the public IP ( NAT IP)... If you put the Local IP address there then it will not allow you to move any traffic... so the crypto ACL and NAT exempted rule has to be fine tuned here to make both the things to work...
Regards
Karthik
04-29-2014 03:17 AM
Now is working only site-to-site vpn with central offise or internet depending the cisco asa configuration, and I want then they work together. Here is a problem.
Regards
Mindaugas
04-29-2014 04:20 AM
Two things are off here depending on you requirements.
first you are encrypting all traffic from the 192.168.204.0/24 network...do you intend to send all traffic from this subnet over the VPN? If not, specify the remote subnet instead of using any in the crypto ACL.
object network LAN
subnet 192.168.204.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object LAN any
Second, you do not have a NAT exempt statement so that encrypted traffic is not to be NATed. this statement would look something like the following:
object network LAN
subnet 192.168.204.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
--
Please remember to select a correct answer and rate
04-29-2014 05:45 AM
Thank you, everything works.
04-29-2014 06:05 AM
Nice! Glad I could help.
Thank you for the rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide