Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9897
Views
0
Helpful
25
Replies

VPN Client with Overlapping Private Networks?

Go to solution
wcotis60
Level 1
Level 1

‎06-07-2012 10:40 AM

I have a new customer that needs to send data to us occasionally, we normally install the Cisco VPN Client on their PC, but this customer has the same private network we do.

I know this could be done with NAT Policy on my ASA 5510 with a site-to-site VPN, but the customer does not want to change the network hardware or addressing. They have cable router with no VPN capability, and they don't want to spend any more money on this project.

Can this work if their are no duplication of IP addresses?

1 person had this problem
Labels:
0 Helpful
25 Replies 25

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-13-2012 02:53 PM

I used ASDM to add the new "Remote Access VPN", here are the new lines:

access-list VPN2nat_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

ip local pool VPN2nat_Pool 192.168.240.1-192.168.240.254 mask 255.255.255.0

group-policy VPN2nat internal

group-policy VPN2nat attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN2nat_splitTunnelAcl

username creek2nat attributes

vpn-group-policy VPN2na

tunnel-group VPN2nat type remote-access

tunnel-group VPN2nat general-attributes

address-pool VPN2nat_Pool

default-group-policy VPN2nat

tunnel-group VPN2nat ipsec-attributes

pre-shared-key *

static (inside,outside) 10.30.30.0  access-list nat2VPN

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to wcotis60

‎06-13-2012 09:32 PM

Pls kindly configure the following:

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0

no access-list VPN2nat_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Then reconnect the vpn client again, and it should be able to access the local network as well as the remote network.

0 Helpful

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-14-2012 10:32 AM

I applied these lines, and the 10.30.30.x address is assigned at the client end.

The client can not ping anything in the 10.30.30.0 or 192.168.1.0 networks.

The line from my previous post "static (inside,outside) 10.30.30.0  access-list nat2VPN" is not present in the ASA.

I tried to create "static (inside,outside) 10.30.30.0  access-list VPN2nat_splitTunnelAcl" but get an overlapping error message.

Seems this is the missing link, how do I get it added in?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to wcotis60

‎06-14-2012 11:48 AM

This needs to be configured:

access-list nat2VPN permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

static (inside,outside) 10.30.30.0  access-list nat2VPN

You can't use "VPN2nat_splitTunnelAcl" access-list because it's standard access-list. It needs to be extended access-list applied to the static NAT statement.

BTW, what do you mean by "the 10.30.30.x address is assigned at the client end?", the ip pool should remain as original (192.168.240.0/24). You are not meant to change the vpn client pool to 10.30.30.x. This is the NATed IP for your internal network.

Quoting from your last post: "I created a new 'Remote Access  Tunnel', a new 'Client Pool' (192.168.240.0/24), new User, and on the  Client side use a new profile."

0 Helpful

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-14-2012 03:06 PM

I decided to start fresh, restored settings from file to ASA and reloaded. Used the wizard to create and new IPsec Remote Access VPN. I then ran the two command from your last post of 6/14@12:48. The resulting lines in the config are:

tunnel-group VPN2nat type remote-access
tunnel-group VPN2nat general-attributes
 address-pool VPN2nat_Pool
 default-group-policy VPN2nat
tunnel-group VPN2nat ipsec-attributes
 pre-shared-key *

ip local pool VPN2nat_Pool 192.168.240.1-192.168.240.254


group-policy VPN2nat attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN2nat_splitTunnelAcl

username Creek1 password 8rqh8Yz4KElpzAzu encrypted privilege 0
username Creek1 attributes
 vpn-group-policy VPN2nat

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0

I ran 'clear xlate' and 'clear arp' on the ASA and went to my test PC in different office and logged in using the above settings.

The Cisco VPN Client got and IP address of 192.168.240.1 as expected. The Route Details show "Secured Routes" of 10.30.30.0 255.255.255.0.

Could not ping 10.30.30.76 from this pc, could not ping anything in either 10.30.30.0 or 192.168.1.0 networks.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to wcotis60

‎06-14-2012 07:59 PM

One config missing, do you have the static policy NAT?

access-list nat2VPN permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

static (inside,outside) 10.30.30.0  access-list nat2VPN

Can you please share your static NAT statement as well as the corresponding access-list.

0 Helpful

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2012 06:10 AM

Here are all of the "access-list" commands in my ASA, the to in your 6/14 8:59 PM post are the last ones in this list:

access-list outside_in extended permit tcp any host 66.0.171.243 eq 1199

access-list outside_in extended permit tcp any host 66.0.171.243 eq www

access-list outside_in extended permit tcp any host 66.0.171.243 eq https

access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 66.0.171.243

access-list outside_in extended permit tcp any host 66.0.102.205 object-group DM_INLINE_TCP_2

access-list outside_in extended permit tcp any host 66.0.102.195 eq ftp

access-list outside_in extended permit tcp any host 66.0.102.195 eq ftp-data

access-list outside_in extended permit tcp any host 66.0.102.195 eq ssh

access-list outside_in extended permit tcp any host 66.0.102.193 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.193 eq pcanywhere-status

access-list outside_in extended permit tcp any eq ftp host 66.0.102.193 eq ftp

access-list outside_in extended permit tcp any eq ftp-data host 66.0.102.193 eq ftp-data

access-list outside_in extended permit tcp any eq ssh host 66.0.102.193 eq ssh

access-list outside_in extended permit tcp any host 66.0.102.194 eq ftp-data

access-list outside_in extended permit tcp any host 66.0.102.194 eq ftp

access-list outside_in extended permit tcp any host 66.0.171.244 eq 104

access-list outside_in extended permit udp any host 66.0.171.244 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.171.244 eq pcanywhere-data

access-list outside_in extended permit tcp any host 66.0.171.245 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.245 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.171.246 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.246 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.102.197 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.197 eq 5631

access-list outside_in extended permit tcp any host 66.0.171.241 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.241 eq pcanywhere-status

access-list outside_in extended permit tcp any eq ftp-data host 66.0.171.241 eq ftp-data

access-list outside_in extended permit tcp any eq ftp host 66.0.171.241 eq ftp

access-list outside_in extended permit tcp any host 66.0.171.242 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.171.242 eq pcanywhere-status

access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.0.102.196

access-list outside_in extended permit tcp any host 66.0.171.241 eq 104

access-list outside_in extended permit udp any host 66.0.171.241 eq 104

access-list outside_in extended permit tcp any host 66.0.171.241 eq 1199

access-list outside_in extended permit tcp any host 66.0.171.241 eq www

access-list outside_in extended permit tcp any host 66.0.102.198 eq pcanywhere-data

access-list outside_in extended permit udp any host 66.0.102.198 eq pcanywhere-status

access-list outside_in extended permit tcp any host 66.0.102.200

access-list outside_in extended permit tcp any host 66.0.102.204 object-group DM_INLINE_TCP_3

access-list outside_in remark Toshiba CT VPN

access-list outside_in extended permit udp host 66.0.102.203 host 66.0.102.203

access-list outside_in extended permit tcp host 66.0.102.203 host 66.0.102.203

access-list outside_in extended permit udp host 66.0.102.202 host 66.0.102.202

access-list outside_in extended permit tcp host 66.0.102.202 host 66.0.102.202

access-list outside_in extended permit ip any host 66.0.102.248

access-list outside_in extended permit tcp any host 66.0.102.199 eq 8081

access-list outside_in extended permit tcp any host 66.0.102.199 eq https

access-list outside_in extended permit tcp any host 66.0.102.205 object-group jabber

access-list outside_in extended permit tcp any host 66.0.102.199 eq www

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 65.7.251.224

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.13.13.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.25.254.128 255.255.255.128

access-list nonat extended permit ip host 192.168.1.76 host 202.51.251.21

access-list nonat extended permit ip host 192.168.1.76 host 128.8.25.104

access-list nonat extended permit ip host 192.168.1.76 host 216.119.191.12

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.128

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.32.48.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.78.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 10.188.132.44

access-list nonat extended permit ip host 192.168.1.76 host 10.2.79.97

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9

access-list nonat extended permit ip host 192.168.1.76 172.16.4.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.213

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.214

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.215

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.216

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.218

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.219

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.220

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.222

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.223

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.224

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.225

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.226

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.227

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.228

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.30

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.37

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.32

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.5

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.38

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.200.122.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.6.10.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 192.168.76.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 192.168.250.0 255.255.255.128

access-list nonat extended permit ip host 192.168.1.76 192.168.168.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.2.79.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.24.48.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_2 134.54.112.0 255.255.240.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_3 134.54.112.0 255.255.240.0

access-list nonat extended permit ip host 192.168.1.76 74.117.34.128 255.255.255.240

access-list nonat extended permit ip host 192.168.1.76 204.16.167.128 255.255.255.240

access-list nonat extended permit ip host 192.168.1.76 192.168.20.0 255.255.255.0

access-list nonat extended permit ip any 10.78.80.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list nonat extended permit ip object-group DM_INLINE_NETWORK_5 10.200.200.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.1.23.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.34 192.168.253.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 204.16.165.21

access-list nonat extended permit ip host 192.168.1.76 host 192.168.3.2

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 192.168.50.17

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.92.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.93.0 255.255.255.0

access-list nonat extended permit ip host 192.168.1.76 host 172.24.7.77

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

access-list cavett extended permit ip 192.168.1.0 255.255.255.0 host 65.7.251.224

access-list vpnclient extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list 102 extended deny tcp any any eq www

access-list outbound extended deny tcp 192.168.1.0 255.255.255.0 any eq 445

access-list outbound extended deny tcp host 192.168.1.10 any eq 445

access-list outbound extended deny tcp host 192.168.1.12 any eq 445

access-list outbound extended permit tcp host 192.168.1.6 any eq ftp

access-list outbound extended permit tcp host 192.168.1.6 any eq ftp-data

access-list outbound extended permit tcp host 192.168.1.6 any eq ssh

access-list outbound extended permit tcp host 192.168.1.13 eq ftp-data any eq ftp-data

access-list outbound extended permit tcp host 192.168.1.13 eq ftp any eq ftp

access-list outbound extended permit tcp host 192.168.1.14 eq ftp-data any

access-list outbound extended permit tcp host 192.168.1.14 eq ftp any

access-list outbound extended deny tcp host 192.168.1.23 any eq 445

access-list outbound extended permit tcp host 192.168.1.40 any eq smtp

access-list outbound extended permit tcp host 192.168.1.22 any eq 445

access-list outbound extended permit tcp object-group RESTRICTED_HOSTS object-group SMALL_WEB

access-list outbound extended permit ip object-group ALLACCESS any

access-list outbound extended permit tcp host 192.168.1.253 any

access-list outbound extended permit ip host 192.168.1.253 any

access-list outbound extended permit ip host 10.56.0.7 host 192.168.25.100

access-list outbound extended permit ip host 10.56.0.7 host 10.1.23.254

access-list NRS-PRIMARY-ACL extended permit ip host 192.168.1.76 host 204.16.165.21

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.213

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.214

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.215

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.216

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.218

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.219

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.220

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.222

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.223

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.224

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.225

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.226

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.227

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.228

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.30

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.37

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.32

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.5

access-list BHM-VPN-ACL extended permit ip 192.168.1.0 255.255.255.0 host 167.251.230.38

access-list outside_cryptomap_70 extended permit ip host 192.168.1.76 host 202.51.251.21

access-list outside_cryptomap_90 extended permit ip host 192.168.1.76 host 128.8.25.104

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.250.0 255.255.255.128

access-list outside_210_cryptomap extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list outside_cryptomap_43 extended permit ip 192.168.1.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list outside_19_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.78.0 255.255.255.0

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 object-group DM_INLINE_NETWORK_1

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.102

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.104

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.105

access-list outside_370_cryptomap_1 extended permit ip host 10.56.0.7 host 192.168.25.106

access-list outside_9_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list outside_cryptomap_150 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_cryptomap_170 extended permit ip object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_7

access-list outside_cryptomap_190 extended permit ip host 192.168.1.76 172.161.4.0 255.255.255.0

access-list outside_230_cryptomap extended permit ip host 192.168.1.76 172.16.4.0 255.255.255.0

access-list outside_18_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.93.0 255.255.255.0

access-list outside_270_cryptomap extended permit ip host 192.168.1.76 host 128.8.25.104

access-list outside_290_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.200.122.0 255.255.255.0

access-list DerrRemote_splitTunnelAcl standard permit host 192.168.1.76

access-list VPN3k_SplitTunnel_ACL standard permit 192.168.1.0 255.255.255.0

access-list VPN3k_SplitTunnel_ACL remark TIC Lan

access-list outside_350_cryptomap remark Derr

access-list outside_350_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.6.10.0 255.255.255.0

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.100

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.102

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.104

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.105

access-list NAT extended permit ip host 192.168.1.76 host 192.168.25.106

access-list TMGtoTIC_splitTunnelAcl standard permit host 192.168.1.76

access-list outside_1_cryptomap extended permit ip host 192.168.1.76 192.168.168.0 255.255.255.0

access-list inside_nat_static extended permit ip host 192.168.1.76 any

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.79.0 255.255.255.0

access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.24.48.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip host 192.168.1.76 10.32.48.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip host 192.168.1.76 host 172.24.7.77

access-list outside_4_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 134.54.112.0 255.255.240.0

access-list outside_5_cryptomap extended permit ip host 192.168.1.76 74.117.34.128 255.255.255.240

access-list outside_6_cryptomap extended permit ip host 192.168.1.76 204.16.167.128 255.255.255.240

access-list outside_7_cryptomap extended permit ip host 192.168.1.76 192.168.20.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip any 10.78.80.0 255.255.255.0

access-list outside_7_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_7_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_10_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 10.200.200.0 255.255.255.0

access-list outside_11_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list outside_cryptomap_45 extended permit ip 192.168.1.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list outside_12_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list outside_13_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0

access-list outside_14_cryptomap extended permit ip host 192.168.1.34 192.168.253.0 255.255.255.0

access-list outside_15_cryptomap extended permit ip host 192.168.1.76 host 192.168.3.2

access-list outside_16_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_17_cryptomap extended permit ip host 192.168.1.76 host 192.168.50.17

access-list nat2VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

access-list VPN2nat_splitTunnelAcl standard permit 10.30.30.0 255.255.255.0

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to wcotis60

‎06-15-2012 06:12 AM

Pls also share the static NAT statement: sh run static

0 Helpful

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2012 06:15 AM

Result of the command: "sh run static"

static (inside,outside) tcp 66.0.102.199 https 192.168.1.75 https netmask 255.255.255.255

static (inside,outside) tcp 66.0.102.199 www 192.168.1.75 www netmask 255.255.255.255

static (inside,outside) tcp 66.0.102.199 8081 192.168.1.75 8081 netmask 255.255.255.255

static (inside,outside) udp 66.0.102.248 16000 192.168.1.253 16000 netmask 255.255.255.255  dns

static (inside,outside) 66.0.102.205 192.168.1.19 netmask 255.255.255.255 dns

static (inside,outside) 66.0.171.242 192.168.1.10 netmask 255.255.255.255

static (inside,outside) 66.0.102.196 192.168.1.35 netmask 255.255.255.255

static (inside,outside) 66.0.102.195 192.168.1.6 netmask 255.255.255.255

static (inside,outside) 66.0.102.193 192.168.1.13 netmask 255.255.255.255

static (inside,outside) 66.0.102.194 192.168.1.14 netmask 255.255.255.255

static (inside,outside) 66.0.171.246 192.168.1.30 netmask 255.255.255.255

static (inside,outside) 66.0.102.198 192.168.1.211 netmask 255.255.255.255

static (inside,outside) 66.0.102.202 192.168.1.48 netmask 255.255.255.255

static (inside,outside) 66.0.102.204 192.168.1.7 netmask 255.255.255.255

static (inside,outside) 10.56.0.7  access-list NAT

static (inside,outside) 66.0.171.241  access-list inside_nat_static

static (inside,outside) 123.37.38.21 192.168.1.21 netmask 255.255.255.255

static (inside,outside) 123.37.38.22 192.168.1.22 netmask 255.255.255.255

static (inside,outside) 123.37.38.24 192.168.1.24 netmask 255.255.255.255

static (inside,outside) 123.37.38.25 192.168.1.25 netmask 255.255.255.255

static (inside,outside) 66.0.171.243 192.168.1.8 netmask 255.255.255.255

static (inside,outside) 123.37.38.37 192.168.1.37 netmask 255.255.255.255

static (inside,outside) 123.37.38.38 192.168.1.38 netmask 255.255.255.255

static (inside,outside) 123.37.38.39 192.168.1.39 netmask 255.255.255.255

static (inside,outside) 10.30.30.0  access-list nat2VPN

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to wcotis60

‎06-15-2012 06:20 AM

Your NONAT ACL overlaps with the static policy NAT and NONAT takes precedence over static policy NAT, that's why it's not working.

Please kindly remove the following:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

0 Helpful

Go to solution
wcotis60
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2012 09:25 AM

I missed this in my review:

The link is now working, can login and transmit files, connect by VNC to server and so on. (Can't ping, but no problem).

Thank you for all the help and patience in getting this resolved, this will help greatly.

0 Helpful
Top