08-16-2017 01:11 AM
I have setup a standard remote VPN so a user can remotely connect to the Firewall and have configured a NAT rule so that they have internet access using a WAN IP on the Firewall.
I'm now trying to make it so that when connected to the VPN they can access sites hosted on servers that are also behind the firewall.
For example site1.com resolves to 1.1.1.1 which is also behind the firewall and their "public" IP is 1.1.1.2.
I've tried adding a rule to say if the source address is 1.1.1.2 with destination 1.1.1.1 to just NAT it to 192.168.1.2 which is the internal IP but this doesn't seem to work.
Is it possible to just make it so if they are connected to the VPN it just NATs it so they have the same access as if they were public?
08-16-2017 02:14 AM
You can do that but ensure that the NAT rule is before the exemption rule. here is two ways to do it:
nat(inside,outside) 1 source static server-private server-public destination static anyconnect-pool anyconnect-pool
or nat(outside,inside) 1 source static anyconnect-pool anyconnect-pool destination static server-public server-private
this should untranslate packets coming from the anyconnect from the public address to the private address.
Moh,
08-16-2017 03:16 AM
Thanks Moh.
Doing that I get:
Addresses overlap with existing localpool range
ERROR: NAT Policy is not downloaded
This is the NAT I have already to allow outgoing internet so I assume it is that.
nat (any,any) source dynamic VPN WAN-6 dns
VPN is the VPN pool.
08-16-2017 03:19 AM
Can you change this
nat (any,any) source dynamic VPN WAN-6 dns
to
nat (outside,outside) source dynamic VPN WAN-6 dns
08-16-2017 03:26 AM
Thanks, I changed that so it is now:
nat (outside,outside) source dynamic VPN WAN-6 dns
Then if I run this:
nat (inside,outside) 1 source static WAN-2 LAN-2 destination static VPN VPN
I still get the NAT Policy is not downloaded, Addresses overlap with existing localpool range.
08-16-2017 03:31 AM
Please paste the entire NAT config here:)
08-16-2017 03:34 AM
nat (outside,outside) source dynamic VPN WAN-6 dns
nat (any,any) source static any any destination static WAN-6 LAN-6
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.128_25 NETWORK_OBJ_192.168.1.128_25 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network LAN
nat (any,any) static WAN
object network LAN-1
nat (any,any) static WAN-1
object network LAN-4
nat (any,any) static WAN-4 dns
object network LAN-5
nat (any,any) static WAN-5
object network LAN-2
nat (any,any) static WAN-2
object network LAN-3
nat (any,any) static LAN-3
object network WAN-2
nat (any,any) static LAN-2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide