networking-forum.com
Community BlogCommunity Wiki * Register  * Search  * Login
View unanswered postsView active topics

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Print view Previous topic | Next topic 
Author Message
befor4
PostPosted: Fri Apr 27, 2012 3:20 am 
Offline
New Member
New Member

Joined: Fri Apr 27, 2012 3:17 am
Posts: 1
I can not got remote vpn with inbound NAT working together with site-to-site vpn access, if i added line bellow the inbound nat working properly ( vpngroup cisco2) but remote vpngroup cisco and all site-to-site vpn will broken (got error No translation group found for icmp src outside:10.10.10.0.20 dst inside:10.10.0.10 (type 8, code 0)

Code:
global (inside) 2 interface
nat (outside) 2 192.168.99.0 255.255.255.0 outside 0 0


Code:
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname Remote1-PIX
names
name 10.10.0.1 ifNet-DefGW
object-group network NET1-LANs
  network-object 10.10.0.0 255.255.248.0
  network-object 10.10.1.0 255.255.255.128
object-group network NET1-PdLANs
  network-object 10.10.0.0 255.255.255.0
  network-object 10.10.1.0 255.255.255.128
object-group network Remote1-Sup
  network-object 192.168.1.0 255.255.255.0
object-group network PTT_LANs
  network-object 10.10.1.0 255.255.255.128
object-group network Office1-Access
  network-object 10.20.30.0 255.255.255.0
access-list Outside-In permit icmp any any echo-reply
access-list Outside-In permit icmp any any time-exceeded
access-list Outside-In permit icmp any any unreachable
access-list Outside-In permit icmp any any echo
access-list Office1VPN permit ip object-group NET1-PdLANs object-group Office1-Access
access-list Office2VPN permit ip object-group NET1-LANs object-group Remote1-Sup
access-list nonat permit ip 10.10.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip any 10.10.0.20 255.255.255.254
access-list nonat permit ip 10.10.0.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list nonat permit ip 10.10.10.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list nonat permit ip 10.10.0.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list nonat permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.10.0.20 255.255.255.254
access-list split_nonat permit ip any 10.10.0.20 255.255.255.254
access-list split_nonat2 permit ip 10.10.10.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list split_nonat2 permit ip 10.10.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.99.0 255.255.255.0
mtu outside 1500
mtu inside 1500
ip address outside 202.1.2.8 255.255.255.252
ip address inside 10.10.0.9 255.
255.255.0
ip audit info action alarm
ip audit attack action drop
ip local pool Remote-VPN1 10.10.0.20-10.10.0.21
ip local pool Remote-VPN2 192.168.99.99-192.168.99.119
arp timeout 14400
global (outside) 1 interface
global (inside) 2 interface
nat (outside) 2 192.168.99.0 255.255.255.0 outside 0 0
nat (inside) 0 access-list nonat
nat (inside) 1 10.10.0.0 255.255.248.0 0 0
route outside 0.0.0.0 0.0.0.0 202.1.2.1 1
route inside 10.10.1.0 255.255.255.0 ifNet-DefGW 1
route inside 10.10.2.0 255.255.255.0 ifNet-DefGW 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set weak esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set weak
crypto dynamic-map outside_dyn_map2 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map2 40 set transform-set weak
crypto map toPeer 20 ipsec-isakmp
crypto map toPeer 20 match address Office1VPN
crypto map toPeer 20 set peer 2.2.2.2
crypto map toPeer 20 set transform-set weak
crypto map toPeer 30 ipsec-isakmp
crypto map toPeer 30 match address Office2VPN
crypto map toPeer 30 set peer 3.3.3.3
crypto map toPeer 30 set transform-set weak
crypto map toPeer 65534 ipsec-isakmp dynamic outside_dyn_map2
crypto map toPeer 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map toPeer client authentication LOCAL
crypto map toPeer interface outside
isakmp enable outside
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup cisco address-pool Remote-VPN1
vpngroup cisco split-tunnel nonat
vpngroup cisco idle-time 1800
vpngroup cisco password ********
vpngroup cisco2 address-pool Remote-VPN2
vpngroup cisco2 split-tunnel split_nonat2
vpngroup cisco2 idle-time 1800
vpngroup cisco2 password ********
console timeout 60
vpdn enable outside

Thank in adv.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Cisco Networking » Cisco Security

All times are UTC - 6 hours [ DST ]

Who is online

Users browsing this forum: Bing [Bot], Google Feedfetcher, Otanx, Steven King and 19 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group