12-10-2013 06:41 AM
Hello
I have a ASA5510 to connect clients to my compagny. I use vpn ipsec site to site with different VPN equipments to the other side (Cisco, Sonicwall, Zyxel, Checkpoint ... ).
For every remote Lan I translate the network client in an only IP address
For instance
Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24
Client2 172.16.0.0/16 Dynamic PAT (hide) a.b.c.2/24
Client3 172.17.4.0/26 Dynamic PAT (hide) a.b.c.3/24
...
Everything is working fine but now I have a new client with the same IP network as client1
I tried
Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24
But when I did it the client1 loose the connection and i had to remove the clientn network ...
Do you have an idea to permit same remote IP addresses to use VPN ?
For information i use ASDM to setupthe ASA.
Regards
Laurent
Sorry for my english ...
12-10-2013 07:43 AM
Ask the client to nat their network to something you're not already using. Unless they are accessing a network on your side that is different from the network client1 is accessing on your side. If that is the case you could create a rule that states if traffic coming from client1 to network1 then PAT to this IP address. If traffic from clientn to networkn, then PAT to this IP address.
12-11-2013 12:40 AM
Thank you William but I can't ask clients to Nat their networks and they all connect to the same network on my side:
Client1 192.168.1.0/24 Dynamic PAT (hide) a.b.c.1/24 connect to w.x.y.0/24
Client2 192.168.1.0/24 Dynamic PAT (hide) a.b.c.2/24 connect to w.x.y.0/24
Client3 192.168.1.0/24 Dynamic PAT (hide) a.b.c.3/24 connect to w.x.y.0/24
Clientn 192.168.1.0/24 Dynamic PAT (hide) a.b.c.n/24 connect to w.x.y.0/24
At the beginning, I NAT the client's network to avoid that kind of problem and I don't anderstand why it is not working.
May I have to change the NAT type ?
12-11-2013 05:58 AM
Hi Laurent,
I'm afraid the ASA is not built to do something like that. Even If you manage to configure several nat rules so that the remote VPN addresses are mapped to different address ranges on your inside the ASA will have dificulties to decide, which of the identical remote networks are be chosen.
On IOS you can do something like that, the features you might want to take a look at are VTI, vrf-light and vrf-aware NAT. The VTI is a tunnel interface which represents an IPsec connection to one of your customers and is associated with a vrf. The nat configuration just needs to adress the vrf in addition to the outside-global, outside-local addresses, ip nat inside/outside on the interfaces as usual. The classical crypto map is replaced by tunnel-src/dst and a tunnel protection profile.
That's the best I can think of...
MiKa
12-12-2013 01:33 AM
Hi Mika
I don't understand why the ASA has diffuculties to decide which remote networks to choose because the NAT IP address a.b.c.x is affect to just one client which is in only one crypto-map
Fron client
Client1 192.168.1.0/24 Crypto-map1 Dynamic PAT (hide) a.b.c.1 connect to w.x.y.x
Client2 192.168.1.0/24 Crypto-map2 Dynamic PAT (hide) a.b.c.2 connect to w.x.y.x
From my side
w.x.y.x response to a.b.c.1 in Crypto-map1 to 192.168.1.0/24 (Client1)
w.x.y.x response to a.b.c.2 in Crypto-map2 to 192.168.1.0/24 (Client2)
The solution with VTI and VRF seems (to me) complicated to operate.
Laurent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide