Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
1
Replies

Basic NAT from outside remote-access IPSec VPN to inside

David Fletchall
Level 1
Level 1

‎03-16-2012 05:01 AM - edited ‎03-11-2019 03:43 PM

This is a simple problem, yet I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network.  I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y.  HTTPS/443 connectivity.  I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.

The Cisco tech entered the following static NAT statement to "fix" the problem -

nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y

For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface.  At that point, nothing talks.

The y.y.y.y is on a remote, routed network within my private, corporate MPLS network.  My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x.  Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.

I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.

The NAT statement above will break my network.  Anyone have any suggestions on how to NAT this connection without killing my Inside network?  Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.  Thanks.

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎03-24-2012 08:59 AM

Hi David,

It's true that you need a NAT rule similar to what you mentioned, but in 8.4(2) or higher it should include the 'no-proxy-arp' and 'route-lookup' keywords at the end:

nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y no-proxy-arp route-lookup

Without the keywords, the ASA will definitely proxy ARP on the inside interface for the Inside-Network object.

Also, I don't know what the Inside-Network object actually contains, so make sure this is the translated address or pool that you want the VPN subnet to use.

-Mike

EDIT: The line wrap makes the config look a bit confusing, but the keywords in bold are all part of the same NAT command.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card