topic Problems with VPN and NAT in ASA5520 8.3 in Network Security https://community.cisco.com/t5/network-security/problems-with-vpn-and-nat-in-asa5520-8-3/m-p/1554234#M602346 <P>Hi there!,</P><P></P><P>I am trying to configure an ASA 5520 with 8.3 software and i have to configure a VPN IPSec site-to-site. Trying to capture the packets i see coming the ingress interface but not coming out. So the VPN is not coming up and NAT seems not to work.</P><P>This is the configuration i have (without IPs):</P><P></P><P><PRE>interface GigabitEthernet0/0 nameif outside security-level 0 ip address x.x.x.122 255.255.255.248 interface GigabitEthernet0/1 nameif inside security-level 100 ip address y.y.y.y 255.255.255.0 ! ! <PRE>object network NETWORK_OBJ_x.x.x.x subnet x.x.x.0 255.255.255.0 object network kpn1 host d.d.d.d object network kpn2 host a.a.a.a <PRE>object network Peer_KPN host p.p.p.p object-group network KPN description Lan remota KPN network-object object kpn1 network-object object kpn2 object-group service DM_INLINE_UDP_1 udp port-object eq isakmp port-object eq secureid-udp access-list outside_1_cryptomap extended permit ip object NETWORK_OBJ_x.x.x.x object-group KPN <BR />access-list outside_access_in extended permit udp object Peer_KPN any object-group DM_INLINE_UDP_1 access-list inside_access_in extended permit ip any any </PRE> </PRE> </PRE></P><P>!</P><P>!</P><P><PRE>nat (inside,outside) source dynamic NETWORK_OBJ_x.x.x.x interface<BR />nat (inside,outside) source static NETWORK_OBJ_x.x.x.x&nbsp; destination static KPN <BR />access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.121 1</PRE></P><P>!</P><P>!</P><P><PRE>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer p.p.p.p crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400</PRE></P><P>!</P><P>!</P><P><PRE>tunnel-group p.p.p.p&nbsp; type ipsec-l2l tunnel-group p.p.p.p ipsec-attributes pre-shared-key ***** </PRE></P><DIV>!</DIV><DIV>!</DIV><DIV> </DIV><DIV> </DIV><DIV>I hope this will help.</DIV><DIV> </DIV><DIV>Thanks!!!!</DIV><P></P> Mon, 11 Mar 2019 18:46:56 GMT nachete1979 2019-03-11T18:46:56Z Problems with VPN and NAT in ASA5520 8.3 https://community.cisco.com/t5/network-security/problems-with-vpn-and-nat-in-asa5520-8-3/m-p/1554234#M602346 <P>Hi there!,</P><P></P><P>I am trying to configure an ASA 5520 with 8.3 software and i have to configure a VPN IPSec site-to-site. Trying to capture the packets i see coming the ingress interface but not coming out. So the VPN is not coming up and NAT seems not to work.</P><P>This is the configuration i have (without IPs):</P><P></P><P><PRE>interface GigabitEthernet0/0 nameif outside security-level 0 ip address x.x.x.122 255.255.255.248 interface GigabitEthernet0/1 nameif inside security-level 100 ip address y.y.y.y 255.255.255.0 ! ! <PRE>object network NETWORK_OBJ_x.x.x.x subnet x.x.x.0 255.255.255.0 object network kpn1 host d.d.d.d object network kpn2 host a.a.a.a <PRE>object network Peer_KPN host p.p.p.p object-group network KPN description Lan remota KPN network-object object kpn1 network-object object kpn2 object-group service DM_INLINE_UDP_1 udp port-object eq isakmp port-object eq secureid-udp access-list outside_1_cryptomap extended permit ip object NETWORK_OBJ_x.x.x.x object-group KPN <BR />access-list outside_access_in extended permit udp object Peer_KPN any object-group DM_INLINE_UDP_1 access-list inside_access_in extended permit ip any any </PRE> </PRE> </PRE></P><P>!</P><P>!</P><P><PRE>nat (inside,outside) source dynamic NETWORK_OBJ_x.x.x.x interface<BR />nat (inside,outside) source static NETWORK_OBJ_x.x.x.x&nbsp; destination static KPN <BR />access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.121 1</PRE></P><P>!</P><P>!</P><P><PRE>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer p.p.p.p crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400</PRE></P><P>!</P><P>!</P><P><PRE>tunnel-group p.p.p.p&nbsp; type ipsec-l2l tunnel-group p.p.p.p ipsec-attributes pre-shared-key ***** </PRE></P><DIV>!</DIV><DIV>!</DIV><DIV> </DIV><DIV> </DIV><DIV>I hope this will help.</DIV><DIV> </DIV><DIV>Thanks!!!!</DIV><P></P> Mon, 11 Mar 2019 18:46:56 GMT https://community.cisco.com/t5/network-security/problems-with-vpn-and-nat-in-asa5520-8-3/m-p/1554234#M602346 nachete1979 2019-03-11T18:46:56Z Re: Problems with VPN and NAT in ASA5520 8.3 https://community.cisco.com/t5/network-security/problems-with-vpn-and-nat-in-asa5520-8-3/m-p/1554235#M602349 <HTML><HEAD></HEAD><BODY><P>The following static NAT should be changed:</P><P><SPAN style="text-decoration: underline;"><STRONG>From</STRONG></SPAN>:</P><PRE><SPAN style="font-family: arial,helvetica,sans-serif;">nat (inside,outside) source static NETWORK_OBJ_x.x.x.x&nbsp; destination static KPN<BR /><BR /><SPAN style="text-decoration: underline;"><STRONG>To</STRONG></SPAN>:<BR />nat (inside,outside) source static NETWORK_OBJ_x.x.x.x NETWORK_OBJ_x.x.x.x destination static KPN KPN </SPAN> </PRE><P></P><P>Then a "clear xlate" after the changes above.</P><P></P><P>Assuming that you are trying to trigger tra<SPAN style="font-family: arial,helvetica,sans-serif;">ffic from x.x.x.0/24 network towards either d.d.d.d or a.a.a.a</SPAN></P><P></P><P>Hope that helps.</P></BODY></HTML> Wed, 29 Sep 2010 02:07:51 GMT https://community.cisco.com/t5/network-security/problems-with-vpn-and-nat-in-asa5520-8-3/m-p/1554235#M602349 Jennifer Halim 2010-09-29T02:07:51Z