11-06-2013 12:55 PM
Hi All,
We are setting up a number of ASAs for use with corporate VPNs. When remote users connect using anyconnect they can hairpin out to the internet from Head Office and we need to allocate them a public IP address for this purpose. To avoid people getting the same public address each time they go to the internet we want to set up a pool of public addresses that will be randomly allocated to user of the VPN. Also, for their inbound connection we have a ddns that resolves to a single ip address for inbound connections. So, in summary clients connect to a single IP address on our ASAs, then hairpin out to the internet and are allocated a public IP address from a pool. We are looking at a few options to achieve this but would welcome any suggestions as to the best way to achieve this objective.
Thanks,
Solved! Go to Solution.
11-08-2013 06:18 AM
Hi,
To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.
I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.
So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be
Software 8.3 and above
same-security-traffic permit intra-interface
object-group network VPN-POOLS
description VPN User Address Pools
network-object 10.10.10.0 255.255.255.128
network-object 10.10.20.0 255.255.255.128
object network PUBLIC-POOL
range 1.1.1.1 1.1.1.254
nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface
Software 8.2 and below
same-security-traffic permit intra-interface
nat (outside) 200 10.10.10.0 255.255.255.0
nat (outside) 200 10.10.20.0 255.255.255.0
global (outside) 200 1.1.1.1-1.1.1.254
global (outside) 200 interface
I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.
Was this what you were looking for?
Hope this helps
- Jouni
11-06-2013 01:02 PM
Hi,
Well I guess you would simply configure a Dynamic NAT for the VPN users. You would have a pool/range of public IP addresses from which addresses would be allocated for VPN client as they connect to the Internet.
I am not sure what you are meaning with the inbound connections (unless you mean return traffic for connections initiated by the clients).
Naturally the NAT configuration format depends on your ASA software level as theres a major difference between 8.2 (and older) and 8.3 (and newer)
- Jouni
11-08-2013 06:02 AM
Hi,
The inbound connections are for the VPN clients to ingress the ASAs, they then hairpin out to the internet where they are allocated a public IP address for their internet session. We will NAT them from the LAN VPN pool outbound, but its the allocation of a public ip address we are looking into. There wont be any local access so we don't need to set up a NAT exemption for the VPN users. Also, cant remember if the dynamic NAT allocates public addresses on a round robin or random basis, any ideas ??
Thanks,
11-08-2013 06:18 AM
Hi,
To me it seems that the order of the chosen NAT IP address from the NAT Pool is random. I tested this on my home ASA5505 with a small public address pool.
I am not sure if there is difference between the different ASA software levels or rather the NAT configuration format. Since the 8.2 (and below) and 8.3 (and newer) format is completely different.
So if we were to presume that you are configuring NAT Pool for VPN Client users connected to the ASA then the configurations you would need would be
Software 8.3 and above
same-security-traffic permit intra-interface
object-group network VPN-POOLS
description VPN User Address Pools
network-object 10.10.10.0 255.255.255.128
network-object 10.10.20.0 255.255.255.128
object network PUBLIC-POOL
range 1.1.1.1 1.1.1.254
nat (outside,outside) after-auto source dynamic VPN-POOLS PUBLIC-POOL interface
Software 8.2 and below
same-security-traffic permit intra-interface
nat (outside) 200 10.10.10.0 255.255.255.0
nat (outside) 200 10.10.20.0 255.255.255.0
global (outside) 200 1.1.1.1-1.1.1.254
global (outside) 200 interface
I am not sure what your user amount is but I would imagine you wont such a large public address pool for the users. The above configurations also contain a Dynamic PAT for when the NAT Pool runs out.
Was this what you were looking for?
Hope this helps
- Jouni
11-13-2013 02:34 AM
Hi Jouni,
Thanks for your response and apologies for our delay in replying we had to set this up in the lab. Anyway this is the configuration we have decided to use so your answer was helpful thank you.
Regards,
11-13-2013 02:39 AM
Hi,
Thank you for getting back to me. Great to hear that it helped
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide