Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
5
Helpful
2
Replies

ASA 9.1 - NAT VPN traffic to certain destinations

eagles-nest
Level 1
Level 1

‎08-04-2016 05:41 AM

Hi

I need to create NAT rule to allow my VPN clients to go directly to the internet if they are going to specific addresses. 

So for example

Anyconnect VPN pool = 10.1.1.0/24

Destinations to be reached directly are 1.2.3.4, 1.2.3.5, 2.3.4.5, 3.4.5.6

I want the VPN pool to NAT to the outside interface address.

So I define an object called VPN_Pool containing 10.1.1.0/24

I define the destinations as an object called Internet-Servers containing the addresses above.

Would the following rule work ?

nat (outside,outside) source dynamic VPN_Pool interface destination static Internet-Servers Internet-Servers

My logic is VPN_Pool traffic from the outside going to the outside should NAT to the outside interface only for destinations in the Internet-Servers object.  The Internet-Servers will retain the same IP address.

Traffic that is not going from VPN_Pool to Internet-Servers will bypass this rule and follow any other matching rule further down the NAT list.

Thanks for any input, Stuart.

Labels:
0 Helpful
2 Replies 2

Cristian Nilsson
Level 1
Level 1

‎08-04-2016 10:41 PM

Hello,

Assuming that you tunnel all (or matching) traffic from client that seems right, however you need the command:

same-security-traffic permit intra-interface

To allow traffic to "bounce" on outside interface.

//Cristian

eagles-nest
Level 1
Level 1
In response to Cristian Nilsson

‎08-13-2016 11:46 AM

Thank you for the input Cristian.  I have a change window scheduled later this week to test.

Stuart

0 Helpful
Customers Also Viewed These Support Documents