Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
3
Replies

NAT U Turn

imranraheel
Level 1
Level 1

‎07-20-2017 02:22 PM

Remote VPN users arent able to access the internal WEB server using the WAN IP of the Internal servers , do I have to make a nat exempt or a U turn

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-20-2017 09:08 PM

Hi,

Can you share the show version of ASA.

Also do you have a static NAT for the internal servers?

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

imranraheel
Level 1
Level 1
In response to Aditya Ganjoo

‎07-21-2017 08:17 AM

Sh version 

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(7)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

PNIASA up 3 years 163 days
failover cluster up 4 years 127 days

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: GigabitEthernet0/0 : address is 503d.e5a2.77ca, irq 9
1: Ext: GigabitEthernet0/1 : address is 503d.e5a2.77cb, irq 9
2: Ext: GigabitEthernet0/2 : address is 503d.e5a2.77cc, irq 9
3: Ext: GigabitEthernet0/3 : address is 503d.e5a2.77cd, irq 9
4: Ext: Management0/0 : address is 503d.e5a2.77ce, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

I have the NAT for internal server 

Preview file
31 KB
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to imranraheel

‎07-21-2017 09:14 AM

Hi,

You need to, first of all, add a deny statement on the NAT exempt statement to deny traffic from VPN users to the internal server.

This is because the interesting traffic is asked to be NAT exempted hence if we access the public IP we will not be able to untranslate the request to the internal IP as NAT exempt takes preference.

Also add same-security-traffic permit intra-interface.

nat (outside) 1 x.x.x.x----Subnet of the VPN pool

global (outside) 1 interface

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents