08-04-2016 05:41 AM
Hi
I need to create NAT rule to allow my VPN clients to go directly to the internet if they are going to specific addresses.
So for example
Anyconnect VPN pool = 10.1.1.0/24
Destinations to be reached directly are 1.2.3.4, 1.2.3.5, 2.3.4.5, 3.4.5.6
I want the VPN pool to NAT to the outside interface address.
So I define an object called VPN_Pool containing 10.1.1.0/24
I define the destinations as an object called Internet-Servers containing the addresses above.
Would the following rule work ?
nat (outside,outside) source dynamic VPN_Pool interface destination static Internet-Servers Internet-Servers
My logic is VPN_Pool traffic from the outside going to the outside should NAT to the outside interface only for destinations in the Internet-Servers object. The Internet-Servers will retain the same IP address.
Traffic that is not going from VPN_Pool to Internet-Servers will bypass this rule and follow any other matching rule further down the NAT list.
Thanks for any input, Stuart.
08-04-2016 10:41 PM
Hello,
Assuming that you tunnel all (or matching) traffic from client that seems right, however you need the command:
same-security-traffic permit intra-interface
To allow traffic to "bounce" on outside interface.
//Cristian
08-13-2016 11:46 AM
Thank you for the input Cristian. I have a change window scheduled later this week to test.
Stuart
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide