ASA 8.4 with Policy NAT to pool vpnclient

ipagliani · ‎11-30-2011

Hi,

I have this error when I try to migrate a policy NAT from 8.2 to 8.4:

Addresses overlap with existing localpool range

ERROR: NAT Policy is not downloaded

The original 8.2 configuration works and I created a static NAT for an INSIDE_HOST (with EXT_HOST) when it's contacted from IPSEC client (VPN_POOL).

nat (inside) 0 access-list no-nat

access-list no-nat remark VPNCLIENT

! this prevent NAT exemption for the host

access-list no-nat extended deny ip host INSIDE_HOST VPN_POOL

! NAT exemption for vpn client

access-list no-nat extended permit ip INSIDE_LAN VPN_POOL

access-list POLICY-NAT extended permit ip host INSIDE_HOST VPN_POOL

static (inside,outside) EXT_HOST access-list POLICY-NAT dns

Now the migration tool didn't convert it and generated the same error.

I wrote this nat entry:

nat (inside,outside) source static INSIDE_HOST EXT_HOST destination static VPN_POOL VPN _POOL

But another time, the error is the same.

Any ideas ?

Regards,

Iarno

ajay chauhan · ‎11-30-2011

nat (inside,outside) source static INSIDE_HOST EXT_HOST destination static VPN_POOL VPN _POOL

This should be

nat (inside,outside) source static INSIDE_HOST INSIDE_HOST destination static VPN_POOL VPN _POOL

Also object groups should be in place -

Object network INSIDE_HOST

object network VPN _POOL

Thanks

Ajay

ipagliani · ‎11-30-2011

Hi Ajay,

the command :

nat (inside,outside) source static INSIDE_HOST INSIDE_HOST destination static VPN_POOL VPN _POOL

is great for NAT excemption, but whtt about policy NAT :

access-list POLICY-NAT extended permit ip host INSIDE_HOST VPN_POOL

static (inside,outside) EXT_HOST access-list POLICY-NAT dns

Iarno

ajay chauhan · ‎11-30-2011

Ahh i got you now should be-

nat (inside,outside) source dynamic INSIDE_HOST EXT_HOST destination static VPN_POOL VPN_POOL

Thanks

Ajay

ipagliani · ‎11-30-2011

Hi,

I tried but the problem is the same and I not sure that this is a static NAT. VPN_POOL have to access to EXT_HOST services (ex. RDP). Anyway this happens:

ip local pool VPN 1.1.1.1-1.1.1.15

object network VPN_POOL

subnet 1.1.1.0 255.255.255.240

object network INSIDE_HOST

host 10.10.10.10

object network EXT_HOST

host 11.11.11.11

ciscoasa(config)# nat (inside,outside) source dynamic INSIDE_HOST EXT_HOST destination static VPN_POOL VPN_POOL

Addresses overlap with existing localpool range

ERROR: NAT Policy is not downloaded

ajay chauhan · ‎11-30-2011

Please clarify this-

VPN_POOL have to access to EXT_HOST services (ex. RDP). Anyway this happens:

Inside host are trying to access VPN pool memeber ?

VPN Pool memebers are trying to access host on internet ? ex 11.11.11.11

or You want to setup this IP for VPN pool member to access host on internet ?

When there is one to one mapping then only static keyword is used .

Also post your configuration.

Thanks

Ajay

ipagliani · ‎11-30-2011

Hi,

thank for replay. The scenario is this:

Some clients are accessing via vpnclient IPSEC to ASA. They use a public DNS to resolves server's name. The IP address resolved is encrypted via IPSEC. With ASA 8.2 I used policy NAT as posted to mapping static this IP address to real IP address of the server.

In my example object configurations are:

VPN_POOL IP. Address assign to client IPSEC

INSIDE_HOST. Real IP address of server

EXT_HOST. Mapped ip address (client vpn trying to access to this IP when they connect)

Now the question is: Is it possibile manage that with 8.3 or 8.4 ?

Thanks

Iarno