02-18-2014 07:17 AM - edited 03-04-2019 10:22 PM
Hello,
I have configured a Cisco VPN from a Cisco 877 DSL router to a Cisco ASA. All is working, but I have one final request to complete.
From the DSL side they have these portable devices the use 3G and home wifi to connect to a public IP (80.170.156.78) to upload and download work. I have installed wifi in this remote location where the DSL router is for these devices to use but they are trying to get to this public IP address through the VPN. These portable devices are hard coded to get to this public IP which is located on the other side of the VPN where the ASA is. It is basically a web server in the DMZ off the ASA.
I have managed to get the remote office to ping the inside IP of this public IP over the VPN, so I thought I could simple add a NAT to the DSL router to translate this public IP (80.170.156.78) to it's private ip (192.168.15.8) but it doesn't work. I though I could use split tunneling, but don't know how to do that.
The DSL router can ping the inside IP over the VPN - 192.168.15.8 the outside is 80.170.156.78
So I added:
config)#ip nat inside source static 80.170.156.78 192.168.15.8
Which didn't work so I added
interface Vlan1
ip address 192.168.200.1 255.255.255.0
ip nat inside
and
interface Dialer1
ip address negotiated
ip access-group inbound in
ip nat outside
But still no luck, what am I doing wrong?
Thanks
Solved! Go to Solution.
02-18-2014 03:22 PM
Andy
Can you try changing the NAT to -
ip nat outside source static 192.168.15.8 80.170.156.78
this means when you go to 80.170.156.78 it should then translated to 192.168.15.8. I assume this is what you want.
You may need to add a route for the 192.168.15.8 host pointing out of the IPSEC interface. You may also need to try both IPs in the acl that defines interesting traffic.
It would be a lot easier to do this on the ASA ie. a simple static NAT statement and then you make sure the acl that defines traffic for the VPN is referencing the public IP.
Jon
02-18-2014 03:22 PM
Andy
Can you try changing the NAT to -
ip nat outside source static 192.168.15.8 80.170.156.78
this means when you go to 80.170.156.78 it should then translated to 192.168.15.8. I assume this is what you want.
You may need to add a route for the 192.168.15.8 host pointing out of the IPSEC interface. You may also need to try both IPs in the acl that defines interesting traffic.
It would be a lot easier to do this on the ASA ie. a simple static NAT statement and then you make sure the acl that defines traffic for the VPN is referencing the public IP.
Jon
02-19-2014 05:40 AM
Thanks that worked.
So I put it on the wrong interface? I guess the traffic is VPN traffic which is using the outside interface (dialer1)?
Do I still need the 'ip nat inside' command on the vlan 1, seems to work without?
Thanks
02-19-2014 06:42 AM
Andy
So I put it on the wrong interface?
No it was just that you needed an "ip nat source static outside ..." statement rather than an "ip nat inside source static ..." statement.
I would have thought you would need the "ip nat inside".
Shouldn't harm to leave it in.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide