04-04-2008 03:06 PM - edited 02-21-2020 03:39 PM
Got a little bit of a dilemma. Wondering if anyone knows how to do the following:
Got a host connected to an ASA in a datacenter via the AnyConnect VPN Client. No problems there. Trying to reach a host behind a MonoWall NAT. The MonoWall is already NATing behind an IP that the client can reach ok but I'd like to be able to reach the host from the VPN client via the IP address behind the MonoWall. Basically, it's setup like this:
192.168.20.3 -- (MonoWall NAT)10.3.25.32 -- 10.3.25.1(router)10.3.100.1 -- 10.3.100.10(ASA) -- 10.3.251.73(AnyConnect VPNHost)
I can ping 10.3.25.32 ok. I can't ping 192.168.20.3.
04-10-2008 01:20 PM
The MonoWall would have to support no-nat based on access-list policy (set a rule to no-nat that host when destined to the VPN client host(s)) and then every intermediate hop would need a route to that host's no-nat address (192.168.20.3), including the ASA. Of course, there's probably a reason NAT was implemented to shield that part of the network and now it's being circumvented.
04-10-2008 01:26 PM
Thanks for the response, actually, it's to shield the rest of the network. By-passing NAT is not what we'd like. What I'm hoping for is for some way to change the source packet's destination to from the 192.x.x.x to the 10.x.x.x. Routing for 10.x.x.x is already in place. I'm trying to get each end point on each side to only deal with the local subnets that each end point is located in. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide