Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
2
Replies

ASA NAT Exemptions for VPN users

Richard Tapp
Level 1
Level 1

‎03-11-2013 09:20 AM - edited ‎03-11-2019 06:12 PM

I have an ASA with 3 interfaces, inside, outside and a DMZ running on 8.4(5). There are also VPN users conencting into the firewall.

Connected to the DMZ is an ACE with a private VIP that I can normally get to from Inside and so can the VPN users.

As soon as I assign a public address to the private VIP via the outside interface, the VPN users can't connect to the private VIP any more.

Through the inside interface it still works OK.

I have been looking for something like a NAT exemption for the VPN users, is there such a thing on 8.4(5) ?

Labels:
0 Helpful
2 Replies 2

Andrew Phirsov
Level 7
Level 7

‎03-11-2013 09:30 AM

You have to use manual (twice) nat to accomplish this:

object network VIP

host 192.168.10.10

object network RAVPN_POOL

subnet 192.168.X.0 255.255.255.0

nat (dmz,outside) source static VIP VIP destination static RAVPN_POOL RAVPN_POOL

0 Helpful

jocamare
Level 4
Level 4
In response to Andrew Phirsov

‎03-11-2013 09:50 AM

This doc might help you:

https://supportforums.cisco.com/docs/DOC-11639

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card