10-21-2010 12:47 PM
Hello,
Im having i problem with remote VPNs. The scenario is this:
I have i few clients that connect remotly via VPN. Untill today only one of them needed access to enter to my DMZ. But now i want another one with different profile (cause is a new client) to access to one of my server in the DMZ.
So i declared all the VPN setting, the ACL but when i want to declare the nat (dmz) 2 access-list newclient it doesnt work. But if i declare the nat (dmz) 0 access-list newclient it work BUT it delete the previous nat 0 that my other client have. There is a way to create multiple nat (dmz) 0 access-list statement ?. If not, how could i resolve this problem ?
This is my config:
access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28
access-list vpnlati extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0
access-list vpnlati extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.50
Solved! Go to Solution.
10-22-2010 07:20 AM
andre,
You can only have one NAT exempt access-list per interface (nat 0 rule). I understand what you are trying to accomplish. You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.
What I do is this:
Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).
Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.
It is ok to have multiple statements inside of a NAT exempt access-list. Doing so will not allow one VPN client to have access to things it shouldn't.
For example:
access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28
nat (dmz) 0 access-list nonat-dmz
10-22-2010 08:54 AM
hi andre,
i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling
do one thing
keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling
now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need
here are the acl's you need
nonat_dmz
access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0
no nat (dmz) 0 access-list vpnashi
nat (dmz) 0 access-list nonat_dmz
this should fix the issue at hand
10-21-2010 02:13 PM
What is your access-list for your 'newclient'? What is the IP Space?
If I understand what you want to do correctly, you can just do the following.
Add more ACEs to your ACL vpnashi which is the current nat 0 access-list for the DMZ interface.
So, add the following bold configuration to your existing access-list. Replace the red x.x.x.x with the new VPN subnet and replace y.y.y.y with the subnet mask of that subnet.
access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28
access-list vpnashi extended permit ip host 192.168.16.28 x.x.x.x y.y.y.y
access-list vpnashi extended permit ip x.x.x.x y.y.y.y host 192.168.16.28
10-22-2010 07:14 AM
jjohnston,
the newclient is vpnlati . vpnashi is another client and is working perfect but i dont want to create new ACEs under that one cause is a different client and i want to create differents profiles for Cisco remote VPNs.
if i put in the config:
nat (dmz) 0 access-list vpnlati it start to work perfect but the vpnashi dessapear.
That why my question is if there is a way to add multiples nat (dmz) 0 access-list
or how could i resolve this issue.
Regards.
Amir
10-22-2010 07:20 AM
andre,
You can only have one NAT exempt access-list per interface (nat 0 rule). I understand what you are trying to accomplish. You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.
What I do is this:
Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).
Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.
It is ok to have multiple statements inside of a NAT exempt access-list. Doing so will not allow one VPN client to have access to things it shouldn't.
For example:
access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28
nat (dmz) 0 access-list nonat-dmz
10-22-2010 08:54 AM
hi andre,
i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling
do one thing
keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling
now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need
here are the acl's you need
nonat_dmz
access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0
access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0
no nat (dmz) 0 access-list vpnashi
nat (dmz) 0 access-list nonat_dmz
this should fix the issue at hand
10-25-2010 11:54 AM
Thank you so much guys !!!. I create the nonat ACL and it work perfect
10-25-2010 05:24 PM
Glad it worked tc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide