cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
930
Views
0
Helpful
2
Replies

Static Nat and VPN conflict

pjoubert
Level 1
Level 1

Hi

I could not quite find any information that was close enough to my problem that would enable me to solve it so hence I am now reaching out to you guys.

I have a Cisco ASA running 8.2(1) and I am using ASDM to manage the firewall. I have a Linux VPN server on the inside with and IP address of YYY.YYY.YYY.39 with a static NAT to the outside with an address of XXX.XXX.XXX.171 .

I have a site to site VPN tunnel which terminates on the outside of the ASA on the outside interface XXX.XXX.XXX.190 .

Traffic from the YYY.YYY.YYY.0/24 network can't transverse the site to site VPN as there is a conflict of IP address's on the far side so it is natted via a dynamic policy to host address ZZZ.ZZZ.ZZZ.100

Users remote into the inside(YYY.YYY.YYY.0/24) for support via the Linux VPN server (.39) and then need to communicate down the site to site VPN. The problem is that the static NAT for the incomming connections takes preference and bypasses the site to site VPN tunnel for outbound traffic. I tried to create a policy Static nat but it tries to modify the static nat that handels the incomming traffic to the Linux server.

I hope the above makes sense.

2 Replies 2

andrew.prince
Level 10
Level 10

Post your config for review:-

interesting vpn acl

static nat

no-nat

vpn client pool

Hi

intersting VPN ACL

object-group network DM_INLINE_NETWORK_18

     network-object YYY.YYY.YYY.0 255.255.255.0

object-group network DM_INLINE_NETWORK_22

network-object UUU.UUU.UUU.0 255.255.255.0

access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_22 object-group DM_INLINE_NETWORK_18

Static NAT

static (Inside,outside) XXX.XXX.XXX.171 YYY.YYY.YYY.39 netmask 255.255.255.255

No NAT

object-group network DM_INLINE_NETWORK_20

network-object UUU.UUU.UUU.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip ZZZ.ZZZ.ZZZ.0 255.255.255.0 object-group DM_INLINE_NETWORK_20

VPN CLient Pool

No pool configured as it uses the interesting traffic or protected traffic in ASDM - UUU.UUU.UUU.0 is the IP address range at the far side of the site to site VPN.

I hope this helps

Thanks

Review Cisco Networking for a $25 gift card