Solved: Multiple NAT (DMZ) 0 Access list statement

andresitotubia · ‎10-21-2010

Hello,

Im having i problem with remote VPNs. The scenario is this:

I have i few clients that connect remotly via VPN. Untill today only one of them needed access to enter to my DMZ. But now i want another one with different profile (cause is a new client) to access to one of my server in the DMZ.

So i declared all the VPN setting, the ACL but when i want to declare the nat (dmz) 2 access-list newclient it doesnt work. But if i declare the nat (dmz) 0 access-list newclient it work BUT it delete the previous nat 0 that my other client have. There is a way to create multiple nat (dmz) 0 access-list statement ?. If not, how could i resolve this problem ?

This is my config:

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnlati extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

access-list vpnlati extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.50

ip local pool ippool 192.168.125.10-192.168.125.254

global (outside) 1 interface

global (outside) 2 200.32.97.254

nat (outside) 1 192.168.125.0 255.255.255.0

nat (inside) 0 access-list vpnas

nat (inside) 2 access-list ACL-NAT-LIM

nat (inside) 3 access-list vpnwip

nat (inside) 4 access-list vpnashi

nat (inside) 5 access-list vpnlati

nat (inside) 1 0.0.0.0 0.0.0.0

nat (wifi) 2 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list vpnashi

nat (dmz) 1 192.168.16.0 255.255.255.0

nat (dmz) 2 access-list vpnlati

group-policy RA-ASHI internal

group-policy RA-ASHI attributes

dns-server value 172.16.1.100

vpn-idle-timeout 30

vpn-filter value vpnashi

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

group-policy RA-LATI internal

group-policy RA-LATI attributes

dns-server value 172.16.1.100

vpn-idle-timeout 30

vpn-filter value vpnlati

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

tunnel-group RA-ASHI type remote-access

tunnel-group RA-ASHI general-attributes

address-pool ippool

authentication-server-group (outside) partnerauth

default-group-policy RA-ASHI

tunnel-group RA-ASHI ipsec-attributes

pre-shared-key *

tunnel-group RA-LATI type remote-access

tunnel-group RA-LATI general-attributes

address-pool ippool

authentication-server-group (outside) partnerauth

default-group-policy RA-LATI

tunnel-group RA-LATI ipsec-attributes

pre-shared-key *

jj27 · ‎10-22-2010

andre,

You can only have one NAT exempt access-list per interface (nat 0 rule). I understand what you are trying to accomplish. You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.

What I do is this:

Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).

Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.

It is ok to have multiple statements inside of a NAT exempt access-list. Doing so will not allow one VPN client to have access to things it shouldn't.

For example:

access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

nat (dmz) 0 access-list nonat-dmz

View solution in original post

Jitendriya Athavale · ‎10-22-2010

hi andre,

i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling

do one thing

keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling

now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need

here are the acl's you need

nonat_dmz

access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

no nat (dmz) 0 access-list vpnashi

nat (dmz) 0 access-list nonat_dmz

this should fix the issue at hand

View solution in original post

jj27 · ‎10-21-2010

What is your access-list for your 'newclient'? What is the IP Space?

If I understand what you want to do correctly, you can just do the following.

Add more ACEs to your ACL vpnashi which is the current nat 0 access-list for the DMZ interface.

So, add the following bold configuration to your existing access-list. Replace the red x.x.x.x with the new VPN subnet and replace y.y.y.y with the subnet mask of that subnet.

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnashi extended permit ip host 192.168.16.28 x.x.x.x y.y.y.y

access-list vpnashi extended permit ip x.x.x.x y.y.y.y host 192.168.16.28

andresitotubia · ‎10-22-2010

jjohnston,

the newclient is vpnlati . vpnashi is another client and is working perfect but i dont want to create new ACEs under that one cause is a different client and i want to create differents profiles for Cisco remote VPNs.

if i put in the config:

nat (dmz) 0 access-list vpnlati it start to work perfect but the vpnashi dessapear.

That why my question is if there is a way to add multiples nat (dmz) 0 access-list

or how could i resolve this issue.

Regards.

Amir

jj27 · ‎10-22-2010