02-07-2019 09:37 AM - edited 02-21-2020 08:46 AM
Hi Everyone
Been having some problems getting a NAT statement to work, and hope there are anyone that can help me.
the basic idea is that I need to be able to redirect the VPN connection out though the Cisco ASA 5506-x unit, so that the clients WAN t address gets translated to the OUTSIDE wan link on the Cisco asa Unit
So far its working. When I connect to the VPN, the wan address changes to the Outside IP and I can access a webserver that needs the right address to work.
the stange thing is that if I enable the rule, all normal NAT / ACL from normal Outside to Inside for a webserver on the clients inside, stops working !
so right now i can choose between having hairpin or having Access to servers from the outside.
here is the NAT Rules I created.
Hairpin:
nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface
NAT Rule for server + ACL allowing trafic from outside to inside:
nat (DMZ,outside) static interface net-to-net no-proxy-arp service tcp http http
Any ideas ?
Solved! Go to Solution.
02-07-2019 02:00 PM
you have to move your hairpin-NAT-rule to the third NAT-section:
no nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface nat (outside,outside) after-auto source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface
02-07-2019 02:00 PM
you have to move your hairpin-NAT-rule to the third NAT-section:
no nat (outside,outside) source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface nat (outside,outside) after-auto source dynamic NETWORK_OBJ_INTERNALVPNPOOL interface
02-07-2019 11:40 PM
Hallo Karsten
I can confirm that, after I moved the Rule, it worked !
Why does moving the rule below, make any diffrence ? :)
02-08-2019 03:21 AM
The rules are processed top-down. And the general PAT-rules to the internet always have to be at the end of that list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide