Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
5
Helpful
2
Replies

Twice Nat Anyconnect possible ?

Go to solution
no_pain_no_gain_76
Level 1
Level 1

‎08-14-2019 04:18 AM

I´m struggeling with the following situation.

 

We have a Site to Site tunnel between ASA and a Checkpoint.

Our site has a internal 10.0.0.0/24 net and the remote site has 4 different nets configured.

Everything works as expected.

 

Now we must allow our Anyconnect remote users from net 10.0.2.0/24 to access a server on the remote site, but it`s not possible to add the net 10.0.2.0/24 to the tunnel. So i tried to configure a twice nat for this.

nat (inside,outside) source static NET-10.0.2.0-VPN NET-10.0.2.0-VPN destination static NET-ALL-REMOTESITE 10.0.0.230 no-proxy-arp

The basic idea is to nat the VPN Net 10.0.2.0 to a single IP on the internal LAN, and then go through the VPN tunnel to the server on remote site.

 

But It dosen`t work and i have no idea if it is possible in general or perhaps i miss something.

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-14-2019 05:12 AM

You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.

But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?

View solution in original post

2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎08-14-2019 05:12 AM

You configured a destination-NAT and not Twice-NAT. And based on your problem-description, it should be enough to do a source-NAT (outside,outside) for the RA-network.

But also keep in mind that NAT always makes your config more complex. Perhaps it is easier to change the Remote-Access IP-range to something that can be added to the tunnel?

Go to solution
no_pain_no_gain_76
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2019 06:22 AM

Karsten many thanks for your advice. This was the easiest solution.

I reconfigured our DHCP for the 2 affected users. They got now an IP from the internal LAN 10.0.0.0/24 and can connect to the remote server.

 

THX

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card