Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
3
Replies

configure NAT of VPN subnet to local subnet

MohammedAhmedAqeel7633
Level 1
Level 1

‎07-12-2019 06:02 AM

Hi Community Members,

 

I am new to Networking and have a question, that appears difficult to me but to experts like you, it can be an easy one

 

Our LAN Subnet: 192.168.171.0/24

Our VPN Subnet: 10.251.251.0/24

 

Our client has allowed our LAN subnet (192.168.171.0/24) in their firewall, hence I am able to access their servers when in office

However, when I am connected to my office network via AnyConnect VPN, I am not able to access customer's severs, as they have only allowed our LAN subnet (192.168.171.0/24), and our VPN subnet is 10.251.251.0/24

 

I believe that I must do a NAT of my VPN subnet to my LAN subnet, thereby my 10.251.251.0/24 traffic appearing as 192.168.171.0/24 and being accepted by client's firewall.

 

I don't know how best i could have put this across, but I did try my best :)

Thanks in advance.

 

Regards.

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2019 06:39 AM

Translating traffic to the inside network is not necessary, but you could do it. The more common implementation is to exempt traffic between VPN and LAN from any NAT translation. If you don't do this, there is a chance that this traffic could hit the dynamic NAT rule on the way back. You NAT exemption rule should look something like this:

 

nat (inside,outside) 1 source static LAN_subnet LAN_subnet destination static VPN_subnet VPN_subnet no-proxy-arp route-lookup

0 Helpful

MohammedAhmedAqeel7633
Level 1
Level 1
In response to Rahul Govindan

‎07-12-2019 06:46 AM

Hello Rahul,

 

Thanks for your response.

Is it okay that our VPN subnet is different than the LAN subnet?

I was thinking that 192.168.171.0/24 being allowed by customer will let me access their servers either from office or remotely when I am connected to vpn

But now that my IP is changing to 10.251.251.0/24 when i am connecting to vpn, things aren't working as expected

 

This is why I was wondering if NAT could be the solution, but from your response I understand that it could be a problem too.

Alternatively, can I change by VPN pool to 192.168.171.150 to 192.168.171.250?

0 Helpful

MohammedAhmedAqeel7633
Level 1
Level 1
In response to Rahul Govindan

‎07-12-2019 06:47 AM

Hello Rahul,

Thanks for your response.

Is it okay that our VPN subnet is different than the LAN subnet?

I was thinking that 192.168.171.0/24 being allowed by customer will let me access their servers either from office or remotely when I am connected to vpn
But now that my IP is changing to 10.251.251.0/24 when i am connecting to vpn, things aren't working as expected

This is why I was wondering if NAT could be the solution, but from your response I understand that it could be a problem too.
Alternatively, can I change by VPN pool to 192.168.171.150 to 192.168.171.250?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card