Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
1
Replies

ASA S2S VPN advice concerning NAT

DENNIS BAAS
Level 1
Level 1

‎07-22-2015 03:05 AM - edited ‎03-11-2019 11:18 PM

Hi,

 

We use the private space 10.0.0.0/8 for our corporate inside resources. One of our office has 10.29.0.0/16.

We created a Site-2-site connection between 2 ASA between corporate network and office. This VPN works fine. From our corporate network we can reach resources at the remote offices and vice versa.

However, clients from the remote office cannot reach Internet. I know it is an issue with overlapping segments, but I need some advice how to best resolve this.

 

Remote office:

ASA version: 9.1.2

10.29.0.0/16

Inside interface has 10.29.255.1/24 and is used as default gateway for clients in the remote office. Inside interface is connected to a L3 switch, wihich has an interface 10.29.255.254. So the the 10.29.255.0/24 segment acts as a transport segment between the L3 switch and ASA.

Simulations using the packet tracer shows sucessful access for internal clients to Internet resources.

 

Partial config:

!
object network CORP-ALL
 subnet 10.0.0.0 255.0.0.0
!
object network OFFICE
 subnet 10.29.0.0 255.255.0.0
!
access-list outside_cryptomap extended permit ip object OFFICE object CORP-ALL
nat (inside,outside) source static OFFICE OFFICE destination static CORP-ALL CORP-ALL no-proxy-arp route-lookup
!
route outside 0.0.0.0 0.0.0.0 [ISP IP] 1
route inside 10.29.0.0 255.255.0.0 10.29.255.254 1
!

 

No other acl's present than defaults

 

So, basically, the gateway/ASA inside IP is part of the NAT config and will not allow outside internet traffic. What is the best way to solve?

 

What I was thinking of was to a new network object that includes the local subnet but excludes the transfer segment, i.e range 10.29.0.1 - 10.29.254.254, and use that in the nat statement. So:

!

object network OFFICE-2
 range 10.29.0.1 10.29.254.254
!

nat (inside,outside) source static OFFICE-2 OFFICE-2 destination static CORP-ALL CORP-ALL no-proxy-arp route-lookup

!

 

Any input?

Labels:
0 Helpful
1 Reply 1

Rishabh Seth
Level 7
Level 7

‎07-22-2015 07:03 AM

From what you have described, i understand that the remote office is configured to access corporate office resources over VPN and rest of the internet traffic will flow without VPN tunnel.

 

>> You can check if ASA is able to ping the internet.

>> If ASA can ping internet then check if ASA is configured to NAT all the internet bound traffic.

In case you do not have any NAT, then you can try using interface based auto nat.

Sample conifg:

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat(inside,outside) dynamic interface.

 

>> Also ensure you have inspection for ICMP enabled.

>> If inspection for icmp is not present then you can use command:

fixup protocol icmp

 

>> Also attach the packet tracer output from ASA.

 

Thanks,

R.Seth

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card