Reference document for handling the nat aspect of U-turning RA VPN Client traffic
Example of Uturning Internet traffic (ie VPN connects with a tunnel all policy but you still need Internet access)
Topology
192.168.1.0/24 inside(ASA1)outside------------Internet
|
===VPN===VPN Client (vpnclient pool 192.168.3.0/24)
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (outside,outside) dynamic interface
Example of Uturning RA VPN traffic accross another L2L (ie your VPN client connects to one ASA but needs to reach remote subnets at another ASA accross a L2L tunnel)
Topology
192.168.1.0/24 inside(ASA1)outside===VPN==outside(ASA2)inside 192.168.2.0/24
|
===VPN===VPN Client (vpnclient pool 192.168.3.0/24)
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0
nat (outside,outside) 1 source static obj-vpnpool obj-vpnpool destination static obj-remote obj-remote
You may also need the reverse (logs will indicate assymetric entry) if you are running code without the fix for CSCth72642:
nat (outside,outside) 2 source static obj-remote obj-remote destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the vpn nat statement at the top of all my nat statements.
Related Information