02-16-2016 07:46 AM
Can someone help me please? I am rusty with VPN and Natting.
Scenario: I need to split tunnel my internal network. NAT traffic from 192.168.0.0/24 to 192.168.88.0/24 only when establishing a VPN connection for objects that I have defined in a specific Network Object Group (Group1Servers). Traffic destined for the internet does not get this 88 NAT, it will remain at default.
ASA5506-X, ASDM 7.5, ASA 9.5
Solved! Go to Solution.
02-18-2016 07:56 AM
Hello,
You can configure a static policy nat to translate 192.168.0.0/24 to 192.168.88.0/24 when the destination is Group1Servers, the CLI command will be:
Create objects for 192.168.0.0/24 and 192.168.88.0/24
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.88.0
subnet 192.168.88.0 255.255.255.0
NAT statement:
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.88.0 destination static Group1Servers Group1Servers
You can refer to this documentation for NAT configuration:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Since this traffic is going over a site to site tunnel remember that the interesting traffic needs to be configured with the translated network "192.168.88.0/24" not the real, that's a common mistake just take that in mind
Regards, please rate.
02-18-2016 07:56 AM
Hello,
You can configure a static policy nat to translate 192.168.0.0/24 to 192.168.88.0/24 when the destination is Group1Servers, the CLI command will be:
Create objects for 192.168.0.0/24 and 192.168.88.0/24
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.88.0
subnet 192.168.88.0 255.255.255.0
NAT statement:
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.88.0 destination static Group1Servers Group1Servers
You can refer to this documentation for NAT configuration:
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples
Since this traffic is going over a site to site tunnel remember that the interesting traffic needs to be configured with the translated network "192.168.88.0/24" not the real, that's a common mistake just take that in mind
Regards, please rate.
02-19-2016 05:59 AM
Perfect. I made your common mistake. Thanks for the guidance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: