VPN + NAT

estebanvojacek · ‎08-22-2016

Hello Guys:

I am trying to do a VPN + NAT on my ASA 5545x 9.6 device, this is my scenario:

Interfaces:
-outside
-VLAN43 (my VPN pool) 10.43.0.0 / 255.255.248.0
-VLAN200 (my DMZ VLAN) 10.20.2.0 / 255.255.255.0

Security-Level:
-outside (0)
-VLAN43 (10)
-VLAN200 (100)

I have an https server hosted in the VLAN200 with IP 10.20.2.100.
I want for my outside users to be able to login to the VPN (configured inside the same ASA w/dhcp pool 10.43.0.1 - 7.255 ipsec clients) and point the Internet Browser to the address https://10.43.0.90 and being able to access the host 10.20.2.100 (nat from 10.43.0.90 to 10.20.2.100 https).
VPN config is all set up and working, but I am not able to create the nat config rule to work on the inside of the VPN.

Any suggestions?

JP Miranda Z · ‎08-23-2016

Hi estebanvojacek,

You can use the following nat:

object network obj-10.20.2.100

host 10.20.2.100

object network nat-10.43.0.90

host 10.43.0.90

nat (VLAN200,outside) source static obj-10.20.2.100 nat-10.43.0.90 destination static <vpnpool> <vpnpool> no-proxy-arp route-lookup

You can test this doing a packet tracer to a VPN user already connected:

packet-tracer input vlan200 tcp 10.20.2.100 12345 <VPNclientaddress> detail

Hope this info helps!!

Rate if helps you!!

-JP-

estebanvojacek · ‎08-25-2016

Thank you JP...sadly that doesn't work, or I am putting my rules wrong.

What I did was, to unlock my vpn users from the vlan43, basically I removed the vlan43 value from the VPN Group Policy (GroupPolicy1), then added a new access-list rule to block all traffic from vlan43 to the outside, letting out only traffic to my https server on my web server on the vlan200, and it worked great!

Here is my config:

object network vlan43
subnet 10.43.0.0 255.255.248.0
description vlan43
object network webserver-extip
host 10.43.0.90
object network webserver
host 10.20.2.100
!
access-list vlan43_access_out extended permit tcp object vlan43 host 10.43.0.90 eq https
access-list vlan43_access_out extended deny ip object vlan43 any
!
object network webserver
nat (vlan200,outside) static webserver-extip service tcp https https
!
group-policy GroupPolicy1 attributes
vpn-filter value vlan43_access_out
vpn-tunnel-protocol ikev1 l2tp-ipsec

[etc..]

This way works great, but..my only concern here is..I will be handling near 2000 users on this vpn, and they will be accessing this 10.43.0.90 host, am I using too much cpu for these nat and access-list?

Should I acomplish this in any other way?

Thank you guys.

JP Miranda Z · ‎08-25-2016

Hi estebanvojacek,

That works, my example was not that specific with the https protocol, now keep in mind that if you don't use a destination they are going to have limited internet access as well (only https), now about having 2000 clients that should not really cause a problem with the nat since at the end is just a simple nat.

Hope this info helps!!

Rate if helps you!!

-JP-