cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


102
Views
5
Helpful
2
Replies
Highlighted

Twice Nat Anyconnect possible ?

I´m struggeling with the following situation.

 

We have a Site to Site tunnel between ASA and a Checkpoint.

Our site has a internal 10.0.0.0/24 net and the remote site has 4 different nets configured.

Everything works as expected.

 

Now we must allow our Anyconnect remote users from net 10.0.2.0/24 to access a server on the remote site, but it`s not possible to add the net 10.0.2.0/24 to the tunnel. So i tried to configure a twice nat for this.

nat (inside,outside) source static NET-10.0.2.0-VPN NET-10.0.2.0-VPN destination static NET-ALL-REMOTESITE 10.0.0.230 no-proxy-arp

The basic idea is to nat the VPN Net 10.0.2.0 to a single IP on the internal LAN, and then go through the VPN tunnel to the server on remote site.

 

But It dosen`t work and i have no idea if it is possible in general or perhaps i miss something.

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: Twice Nat Anyconnect possible ?

You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.

But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?

2 REPLIES 2
VIP Mentor

Re: Twice Nat Anyconnect possible ?

You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.

But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?

Re: Twice Nat Anyconnect possible ?

Karsten many thanks for your advice. This was the easiest solution.

I reconfigured our DHCP for the 2 affected users. They got now an IP from the internal LAN 10.0.0.0/24 and can connect to the remote server.

 

THX