08-14-2019 04:18 AM
I´m struggeling with the following situation.
We have a Site to Site tunnel between ASA and a Checkpoint.
Our site has a internal 10.0.0.0/24 net and the remote site has 4 different nets configured.
Everything works as expected.
Now we must allow our Anyconnect remote users from net 10.0.2.0/24 to access a server on the remote site, but it`s not possible to add the net 10.0.2.0/24 to the tunnel. So i tried to configure a twice nat for this.
nat (inside,outside) source static NET-10.0.2.0-VPN NET-10.0.2.0-VPN destination static NET-ALL-REMOTESITE 10.0.0.230 no-proxy-arp
The basic idea is to nat the VPN Net 10.0.2.0 to a single IP on the internal LAN, and then go through the VPN tunnel to the server on remote site.
But It dosen`t work and i have no idea if it is possible in general or perhaps i miss something.
Solved! Go to Solution.
08-14-2019 05:12 AM
You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.
But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?
08-14-2019 05:12 AM
You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.
But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?
08-14-2019 06:22 AM
Karsten many thanks for your advice. This was the easiest solution.
I reconfigured our DHCP for the 2 affected users. They got now an IP from the internal LAN 10.0.0.0/24 and can connect to the remote server.
THX
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide