Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
0
Helpful
4
Replies

IPSec VPN Tunnel

Go to solution
abdelkarim.yousef
Visitor

‎12-23-2015 10:17 AM - edited ‎03-12-2019 12:04 AM

Hi,

I have established an IPSec VPN Connection, and created access list to allow traffic to some internal resources through VPN.

But when I try to allow internet access to an internal resource by using NAT, the VPN to this resource be disconnected.

So I can enable either VPN or internet to the local resource.

I need to enable both. Any help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-23-2015 10:43 AM

When you have a VPN with some or all of the resources also having a NAT policy, you need to exempt the traffic to / from the remote VPN networks from NAT as you want to keep the true IP address for the traffic flowing through the VPN.

For example: https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn

What hardware and software versions are you using? We can provide some more specific sample configurations if you provide that information.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-23-2015 10:43 AM

When you have a VPN with some or all of the resources also having a NAT policy, you need to exempt the traffic to / from the remote VPN networks from NAT as you want to keep the true IP address for the traffic flowing through the VPN.

For example: https://supportforums.cisco.com/document/44566/asa-83-nat-exemption-example-basic-l2l-vpn-and-basic-ra-vpn

What hardware and software versions are you using? We can provide some more specific sample configurations if you provide that information.

0 Helpful

Go to solution
abdelkarim.yousef
Visitor
In response to Marvin Rhoads

‎12-23-2015 09:47 PM

ASA 5520

Cisco Adaptive Security Appliance Software Version 8.3(1)

internal network 192.168.0.0/24

VPN Client with split tunnel

access-list VPN line 1 extended permit tcp any host 192.168.0.216 eq 90

So when a user opens a vpn connection, he can reach host 192.168.0.216 on port 90.

but when we add a nat rule to allow internet access for host 192.168.0.216, the vpn connection to this host be unreachable.

object network host1

 host 192.168.0.216

 nat (inside2,outside) dynamic interface

0 Helpful

Go to solution
abdelkarim.yousef
Visitor
In response to abdelkarim.yousef

‎12-23-2015 10:26 PM

it was resolved by add a NAT Exemption:

nat (inside,outside) source static NETWORK_OBJ_local NETWORK_OBJ_local destination static NETWORK_OBJ_VPNPool NETWORK_OBJ_VPNPool

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to abdelkarim.yousef

‎12-24-2015 05:59 AM

Great. Please mark your question as answered if it has been.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card