Solved: Re: ASA5505 NAT - access to remote s2s vpn from a remote client

acleri · ‎08-14-2012

Hi,

we have a cisco asa5505 with one S2S ipsec vpn running, the remote site ask us to NAT our interanal LAN before to establish the tunnel to them.

f.e.: original internal address 192.168.1.0 > Natted 172.16.1.0 > tunnel vpn > remote site lan 10.1.1.0.

Now we need to access to the remote site also outside the office so we need to configure a new remote ipsec vpn connection.

Our remote vpn (using the cisco vpn ipsec client) will get an ip address inside pool 192.168.2.1-10.

Now remote vpn are able to connecto to the internal network 192.168.1.0 but NOT to the remote vpn site 10.1.1.0 this because in order to establish the tunnel the traffic should be first natted to 172.16.1.0.

I try to setup a dynamic nat rule using ASDM but the system do not accept it because both source (pool vpn) and destination (remote site) networks are on the outside interface.

Is there any possibility to configure such a scenario?

Thank you.

Andy

Jouni Forss · ‎08-14-2012

I guess what you basically need to make sure is the following

Have to following command configured on the ASA
- same-security-traffic permit intra-interface
- This will enable to traffic to enter and leave using the same interface. In this case that would be "outside" as the traffic is coming from VPN Client connection and is going to another VPN connection (S2S).

Make sure you have the remote networks behind the S2S/L2L connection added to the VPN Client split-tunnel access-list configurations

Try to make a NAT stament for the VPN client traffic that is supposed to enter the L2L VPN.
- access-list VPN-CLIENT-POLICY-NAT permit ip 192.168.254.0 255.255.255.0
- nat (outside) 1 access-list VPN-CLIENT-POLICY-NAT
- This should tell the ASA that when the VPN Client users connection towards the remote (S2S) network comes to ASA it should do a PAT translation for the traffic using the "global" stament with ID 1 which is "global (outside) 1 172.16.238.50 netmask 255.255.255.0"
- In other words it would PAT traffic coming from "outside" back to "outside" (ONLY when the destination network is the S2S/L2L remote network) using the PAT IP address that is configured on the S2S/L2L VPN and therefore should bring up the S2S/L2L VPN, if its not up already.

- Jouni

View solution in original post

Jouni Forss · ‎08-14-2012

Hi,

Its possible.

Would be easier to look it through if you could provide you current firewall configuration (without any sensitive information)

But here is some questions

How have you configured the NAT for the LAN -> REMOTE LAN?
Is your IPsec VPN Client connection Full tunnel or Split tunnel?
Have you enabled/used the command "same-security-traffic permit intra-interface"
- Should be visible from the command line after issuing the command "show run same"

- Jouni

acleri · ‎08-14-2012

Hi,

How have you configured the NAT for the LAN -> REMOTE LAN? dynamic policy nat rule
- nat (inside) 1 access-list inside_nat_outbound
- access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
- object-group network DM_INLINE_NETWORK_3
- network-object pippo 255.255.255.128
- network-object pippo2 255.255.255.240
- name 10.51.237.128 pippo
- name 10.51.253.128 pippo2

Is your IPsec VPN Client connection Full tunnel or Split tunnel? Split tunnel

Have you enabled/used the command "same-security-traffic permit intra-interface"? I just enabled it.
- Should be visible from the command line after issuing the command "show run same"

Attached the part of the running configuration.

Thank you for your support.

Andy

Jouni Forss · ‎08-14-2012

I guess what you basically need to make sure is the following

Have to following command configured on the ASA
- same-security-traffic permit intra-interface
- This will enable to traffic to enter and leave using the same interface. In this case that would be "outside" as the traffic is coming from VPN Client connection and is going to another VPN connection (S2S).

Make sure you have the remote networks behind the S2S/L2L connection added to the VPN Client split-tunnel access-list configurations

Try to make a NAT stament for the VPN client traffic that is supposed to enter the L2L VPN.
- access-list VPN-CLIENT-POLICY-NAT permit ip 192.168.254.0 255.255.255.0
- nat (outside) 1 access-list VPN-CLIENT-POLICY-NAT
- This should tell the ASA that when the VPN Client users connection towards the remote (S2S) network comes to ASA it should do a PAT translation for the traffic using the "global" stament with ID 1 which is "global (outside) 1 172.16.238.50 netmask 255.255.255.0"
- In other words it would PAT traffic coming from "outside" back to "outside" (ONLY when the destination network is the S2S/L2L remote network) using the PAT IP address that is configured on the S2S/L2L VPN and therefore should bring up the S2S/L2L VPN, if its not up already.

- Jouni

acleri · ‎08-20-2012

Great!! It works.

Thank you Jouni!!

ASA5505 NAT - access to remote s2s vpn from a remote client vpn