Repositorio IT - IT Repository: April 2015

CONFIGURE NAT OVERLOAD - PAT (PORT ADDRESS TRANSLATION) ON A CISCO ROUTER

R1# configure terminal
R1(config)# interface fastethernet0/0
R1(config-if)# ip nat inside
R1(config-if)# interface serial0/0
R1(config-if)# ip nat outside
R1(config-if)# exit
R1(config)# access-list 100 remark == [Control NAT Service]==
R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any
R1(config)# ip nat inside source list 100 interface serial 0/0 overload

R1# show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 200.2.2.1:53427 192.168.0.6:53427 74.200.84.4:53 74.200.84.4:53
udp 200.2.2.1:53427 192.168.0.6:53427 195.170.0.1:53 195.170.0.1:53
tcp 200.2.2.1:53638 192.168.0.6:53638 64.233.189.99:80 64.233.189.99:80
tcp 200.2.2.1:57585 192.168.0.7:57585 69.65.106.48:110 69.65.106.48:110
tcp 200.2.2.1:57586 192.168.0.7:57586 69.65.106.48:110 69.65.106.48:110

R1# clear ip nat translation *

R1# show ip nat translations
Pro Inside global ...........Inside local .....Outside local .......Outside global

R1# show ip nat statistics
Total active translations: 200 (0 static, 200 dynamic; 200 extended)
Outside interfaces:
Serial 0/0
Inside interfaces:
FastEthernet0/0
Hits: 163134904 Misses: 0
CEF Translated packets: 161396861, CEF Punted packets: 3465356
Expired translations: 2453616
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 100 interface serial 0/0 refcount 195
Appl doors: 0
Normal doors: 0
Queued Packets: 0a

From http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/260-cisco-router-nat-overload.html

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.

Enable ISAKMP on the interface:

ASA-2(config)# crypto ikev1 enable outside

ASA-2(config)# crypto ikev1 policy 1

ASA-2(config-ikev1-policy)# encryption 3des

ASA-2(config-ikev1-policy)# authentication pre-share

ASA-2(config-ikev1-policy)# hash md5

Setup your Group Policies & Tunnel Policies

ASA-2(config)# group-policy oscar_GP internal

ASA-2(config)# group-policy oscar_GP attributes

ASA-2(config-group-policy)# vpn-tunnel-protocol ikev1

ASA-2(config-group-policy)# address-pools value oscar_pool

*******************

ASA-2(config)# tunnel-group oscar_tg type remote-access

ASA-2(config)# tunnel-group oscar_tg general-attributes

ASA-2(config-tunnel-general)# default-group-policy oscar_GP

ASA-2(config-tunnel-general)# authentication-server-group LOCAL

ASA-2(config)# tunnel-group oscar_tg ipsec-attributes

ASA-2(config-tunnel-ipsec)# ikev1 pre-shared-key C1sc0

*******************

ASA-2(config)# crypto ipsec ikev1 transform-set oscar_trans esp-3des esp-md5-hmac

ASA-2(config)# ip local pool oscar_pool 10.1.2.140-10.1.2.145 mask 255.255.255.0

ASA-2(config)# crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set oscar_trans

ASA-2(config)#username oscar password omEMDQBc9noujG1X encrypted privilege 15

ASA-2(config)# crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ASA-2(config)# crypto map outside_map interface outside

From http://adrian-brayton.blogspot.com.ar/2011/07/cisco-asa-84-ios-remote-access-vpn.html

Site to Site vpn config example ASA 8.4 or newer.

Just copy paste.
Mirror this config on the other side.

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
object network OBJ-SiteA
subnet 10.0.0.0 255.255.255.0
object network OBJ-SiteB
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-TRAFIC extended permit ip object OBJ-SiteA object OBJ-SiteB
nat (inside,outside) source static OBJ-SiteA OBJ-SiteA destination static OBJ-SiteB OBJ-SiteB no-proxy-arp route-lookup
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2 (Optional)
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-3des esp-md5-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-TRAFIC
crypto map CRYPTO-MAP 1 set pfs group2 (Optional)
crypto map CRYPTO-MAP 1 set peer 200.200.200.200
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

Related Article :

http://www.petenetlive.com/KB/Article/0000050.htm

Repositorio IT - IT Repository

Barra de menus

CONFIGURE NAT OVERLOAD - PAT (PORT ADDRESS TRANSLATION) ON A CISCO ROUTER

Cisco ASA 8.4 IOS - Remote Access VPN

Below is the minimal configuration needed to implement remote access VPN's on a Cisco ASA 5505 running 8.4. Please keep in mind that the names that I used in my configuration is of my dog but it's best practice to use a name that describes what / who its for.

Site to Site vpn config example ASA 8.4 or newer.

Cisco ASA - IOS NAT Cheat Sheet

Archive

Follow the blog

Tags

Visitas

Subir