topic RA VPN pool nating in Network Security https://community.cisco.com/t5/network-security/ra-vpn-pool-nating/m-p/1254459#M787433 <P>Hi,</P><P></P><P>I'm trying to do the NATing for VPN client pool as inside servers are accepting only some allowed ip subnet.</P><P></P><P>My vpn client pool is using 172.16.1.x/24 and inside users are allow to access only from 141.146.130.x/28 as source subnet.</P><P></P><P>For that I did the following ACS and NATing</P><P></P><P></P><P>access-list nonat extended permit ip host 141.146.130.130 140.85.0.0 255.255.0.0</P><P>access-list nonat extended permit ip host 141.146.130.130 144.23.0.0 255.255.0.0</P><P>access-list nonat extended permit ip host 141.146.130.130 141.146.128.0 255.255.128.0</P><P></P><P>access-list policy_nat extended permit ip 140.85.0.0 255.255.0.0 172.16.1.0 255.255.255.0</P><P>access-list policy_nat extended permit ip 144.23.0.0 255.255.0.0 172.16.1.0 255.255.255.0</P><P>access-list policy_nat extended permit ip 141.146.128.0 255.255.128.0 172.16.1.0 255.255.255.0</P><P></P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 140.85.0.0 255.255.0.0</P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 144.23.0.0 255.255.0.0</P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 141.146.128.0 255.255.128.0</P><P></P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 5 access-list policy_nat</P><P>nat (outside) 5 141.146.130.130 netmask 255.255.255.255</P><P></P><P>Although I'm connected to VPN and getting IP from 172.16.1.x/24 subnet I'm not able to access trust subnet (ie. 140.85.0.0/16.</P><P></P><P>Attached is the running-config with some show commands after connecting VPN.</P><P></P><P>When I check VPN Client statics I could not see any subnet under secure routes.</P><P></P><P></P><P>Can someone help me on this?,</P><P>thanks</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 16:27:21 GMT pemasirid 2019-03-11T16:27:21Z RA VPN pool nating https://community.cisco.com/t5/network-security/ra-vpn-pool-nating/m-p/1254459#M787433 <P>Hi,</P><P></P><P>I'm trying to do the NATing for VPN client pool as inside servers are accepting only some allowed ip subnet.</P><P></P><P>My vpn client pool is using 172.16.1.x/24 and inside users are allow to access only from 141.146.130.x/28 as source subnet.</P><P></P><P>For that I did the following ACS and NATing</P><P></P><P></P><P>access-list nonat extended permit ip host 141.146.130.130 140.85.0.0 255.255.0.0</P><P>access-list nonat extended permit ip host 141.146.130.130 144.23.0.0 255.255.0.0</P><P>access-list nonat extended permit ip host 141.146.130.130 141.146.128.0 255.255.128.0</P><P></P><P>access-list policy_nat extended permit ip 140.85.0.0 255.255.0.0 172.16.1.0 255.255.255.0</P><P>access-list policy_nat extended permit ip 144.23.0.0 255.255.0.0 172.16.1.0 255.255.255.0</P><P>access-list policy_nat extended permit ip 141.146.128.0 255.255.128.0 172.16.1.0 255.255.255.0</P><P></P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 140.85.0.0 255.255.0.0</P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 144.23.0.0 255.255.0.0</P><P>access-list Oracle_OnDemand extended permit ip host 141.146.130.130 141.146.128.0 255.255.128.0</P><P></P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 5 access-list policy_nat</P><P>nat (outside) 5 141.146.130.130 netmask 255.255.255.255</P><P></P><P>Although I'm connected to VPN and getting IP from 172.16.1.x/24 subnet I'm not able to access trust subnet (ie. 140.85.0.0/16.</P><P></P><P>Attached is the running-config with some show commands after connecting VPN.</P><P></P><P>When I check VPN Client statics I could not see any subnet under secure routes.</P><P></P><P></P><P>Can someone help me on this?,</P><P>thanks</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 16:27:21 GMT https://community.cisco.com/t5/network-security/ra-vpn-pool-nating/m-p/1254459#M787433 pemasirid 2019-03-11T16:27:21Z Re: RA VPN pool nating https://community.cisco.com/t5/network-security/ra-vpn-pool-nating/m-p/1254460#M787438 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm confused as to why you want to use policy nat here. As you show in your screenshot, the VPN client is not using split tunneling, so it should be able to reach all networks known to the ASA.</P><P></P><P>Also, you have no "global" statement to match your nat statement used for policy nat. To use policy nat, here is an example:</P><P></P><P>nat (inside) 5 access-list policy_nat</P><P>global (outside) 5 141.146.130.130 netmask 255.255.255.255</P><P></P><P>The only thing you need is a "no nat" rule for traffic going back to the VPN clients.</P><P></P><P>You can add this line to your nonat ACL:</P><P></P><P>access-list nonat extended permit ip 140.85.0.0 255.255.0.0 172.16.1.0 255.255.255.0</P><P></P><P>Otherwise you could use this line to make all networks available to the VPN clients:</P><P></P><P>access-list nonat extended permit ip any 172.16.1.0 255.255.255.0</P></BODY></HTML> Mon, 19 Oct 2009 10:42:53 GMT https://community.cisco.com/t5/network-security/ra-vpn-pool-nating/m-p/1254460#M787438 Erik Ingeberg 2009-10-19T10:42:53Z