05-16-2021 02:04 PM - edited 05-16-2021 02:06 PM
Hello
We use Cisco ASA as site-to-site VPN gateway.
Now one customer want to connect some mobile devices with site-to-site VPN to our ASA.
All these devices should be placed in the same subnet (remote network).
How can I connect different mobile devices which connect separately via site-to-site VPN to our ASA and all devices are placed in the same subnet (remote network from ASA view).
Is there a feature or known procedure for this requirement?
Many thanks.
Marco
05-20-2021 12:47 PM - edited 05-20-2021 12:47 PM
05-20-2021 02:29 PM
you can change the nat rule of the remote network to a different ip.
Example
!
object network Mobile-Site1-Real
host 192.168.0.10
!
object network Mobile-Site1-Mapped
host 172.16.0.10
!
object network ASA-Host-Device
host 10.10.10.1
nat (inside,outside) source static ASA-Host-Device ASA-Host-Device destin static Mobile-Site1-Mapped Mobile-Site1-Real no-proxy-arp route-lookup
!
to give you an idea here is a cisco document https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html
05-26-2021 06:14 AM
Hello
Itried to understand the whole thing based on the Cisco documentation. But it don't really succeed.
As additional information, there are around 50 mobile devices.
Is it correct that every mobile device (remote) can connect to IPsec Site-2-Site-VPN and its remote local IP is mapped to an IP of a NAT subnet on the central ASA?
In your example, the remote local IP 192.168.0.10 is mapped to the local ASA NAT IP 10.10.10.1?
This would then have to be done 50 times?
Is it possible to specify an IP via FQDN names during the authentication process of the site-2-site tunnel?
Someone told me this feature is called Road Warrior.
I am confused.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide