11-02-2005 12:58 AM - edited 02-21-2020 02:04 PM
I have vpn LAN to LAN and vpns are working correctly. I have access from LAN to LAN. But I cant access Internet from vpn peers.
I added
nat (outside) 1 access-list VPN-NAT
access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 any
and I can go to internet - OK
but after so I dont have access between LAN-LAN, because
I nat all traffic.
I cant add:
access-list VPN-NAT extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
Because DENY is not permitted in NAT
Anyone know how to solve this tricky problem?
THX
Laptom
11-02-2005 02:36 AM
hello,
You need to do the following:
1) restrict the VPN-NAT ACL (for IPSEC) to particular source and destination subnets. do not use any here. eg
access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
where 172.16.0.0 is the destination subnet on IPSEC.
do a nonat for this:
nat (outside) 0 access-list VPN-NAT
2) apply all other traffic to internet....
access-list INT extended permit ip 10.0.0.0 255.0.0.0 any
nat (outside) 1 access-list INT
By doing this, any traffic for 172.16.x.x will go through the IPSEC and any other traffic to internet will be natted and passed to the internet cloud.
Hope this helps.. rate replies if found useful...
Raj
11-02-2005 04:00 AM
THX a lot, Your solution was OK.
Laptom
11-02-2005 04:35 AM
I have one problem. I have access from vpn to the internet, everything is OK expept:
I still cant ping from vpns to the internet.
Laptom
11-02-2005 08:33 PM
Laptom,
Are you blocking ICMP by any chance ? you need to give access on the firewall for echo & echo reply on the outside interface.
what are u trying to ping on the internet? the router or some other component?? rate replies if found useful...
Raj
11-03-2005 02:11 AM
I have:
access-list FROM-OUT extended permit icmp any any
access-group FROM-OUT in interface outside
So there is no option to block icmp.
I can ping internet from inside.
I ping for expample: ping 66.249.85.104 (www.google.com) and from Vpn there is no answer. All traffic from vpn is OK.
THX
Laptom
11-06-2005 04:54 AM
Sorry, I also can't ping internet from inside.
Laptom
11-19-2005 03:28 AM
I added:inspect icmp and ping is working corecly, which treats ICMP connections as stateful connections.
policy-map global_policy
class inspection_default
inspect icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide