cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


874
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco remote VPN NAT issue

Dear all,

I am facing an issue , which needs your valuable support.

As per the  attached diagram , remote users are getting ip address 192.168.2.x , internal IP = 192.168.1.x , DMZ ip = 172.16.1.x and 10.0.0.x network is accessed via router connected on DMZ in which i dont have control.

My issue is that remote users want to access 10.0.0.x network but they can't , at the same time they can access DMZ and internal network.

I have tried no NAT as below and i removed first line of ACL as well, but the result is same

access-list 160 permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0

access-list 160 permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (dmz) 0 access-list 160

i wish to try NATing 192.168.2.x  traffic using a DMZ IP addess when packets are destined to 10.0.0.x.

can some one suggest me on how to proceed ?

Everyone's tags (6)
5 REPLIES 5
Beginner

Re: Cisco remote VPN NAT issue

Hi,

You need to look at a dynamic policy NAT and nating the VPN users to either the DMZ interface or an address within DMZ range which is dedicated to that purpose.

Sent from Cisco Technical Support iPad App

Re: Cisco remote VPN NAT issue

Hello,

You could do a :

NAT (outside) 1 192.168.2.0 netmask 255.255.255.0 outside

global (dmz) 1 172.16.1.x

Can you do a packet-tracer and show us the result of that, this will lead us to a nat or something else issue.

The No_Nat configuration is perfect.

Regards,

Julio

DO rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Re: Cisco remote VPN NAT issue

i have attached packet tracer output and the firewall config , kindly look in to that .

Beginner

Re: Cisco remote VPN NAT issue

Hi all ,

As jcarvaja sujested i have tried the NAT config but no luck.

Please provide me a solution .

Re: Cisco remote VPN NAT issue

Hello,

Here is what I want you to do now:

access-list test permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (outside) 10 access-list test outside

global (dmz) 10 interface

Regards,

Let me know the result.

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC