Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
7
Replies

Need help to configure NAT VPN traffic to external pool ip address in ASA

Go to solution
raghavendra.pn
Level 1
Level 1

‎07-07-2011 04:40 AM

Hi,

I need to configure NAT vpn traffic to external pool ip address in ASA

For example.

outside ip address is 1.1.1.10

VPN traffic should be nat to 1.1.1.11

If i try to configure policy nat or static nat ASA gives me the error " global address overlaps with mask"

Please help me out to resolve this.

Thanks & Regards,

Raghavendra

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to raghavendra.pn

‎07-07-2011 05:30 AM

Thanks, and since you are PATing it to just 1 IP Address 1.1.1.11, the traffic can only be initiated from your site towards the remote end.

Here is the NAT configuration:

access-list nat-vpn permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0

nat (inside) 5 access-list nat-vpn

global (outside) 5 1.1.1.11

Also, the crypto ACL for the site to site tunnel should be as follows:

access-list permit ip host 1.1.1.11 10.0.0.0 255.255.0.0

Hope that helps.

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to raghavendra.pn

‎07-15-2011 05:03 AM

For remote vpn client access to the destination server, you can configure the following:

1) If you configure split tunnel for your remote vpn client, then you would need to add the destination subnet/server.

From the above example, split tunnel should include 10.0.0.0 255.255.0.0

2) Configure: same-security-traffic permit intra-interface

This is to allow traffic from vpn client to go inbound on the outside interface, and outbound through the same interface towards the destination server through the site-to-site vpn tunnel

3) Configure NAT on the outside interface for the vpn client pool as follows:

nat (outside) 5

--> the reason why i use sequence number 5 is because on the above NAT we use sequence 5, so it gets PATed to the same IP (1.1.1.11).

Hope that helps.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-07-2011 04:51 AM

1) What version is your ASA?

2) What is the VPN traffic trying to reach after NAT to 1.1.1.11? the internet or internal resources?

3) What is the VPN client pool?

0 Helpful

Go to solution
raghavendra.pn
Level 1
Level 1
In response to Jennifer Halim

‎07-07-2011 05:02 AM

Hi Jennifer,

1. ASA version is 8.2

2. Destination subnet pool is 10.0.0.0/16 and source pool is 192.168.1.0/24. client has configured in such a way that what ever the vpn traffic reaches to 10.0.0.0 sould be natted to 1.1.1.11

3. its an site to site vpn

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to raghavendra.pn

‎07-07-2011 05:30 AM

Thanks, and since you are PATing it to just 1 IP Address 1.1.1.11, the traffic can only be initiated from your site towards the remote end.

Here is the NAT configuration:

access-list nat-vpn permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0

nat (inside) 5 access-list nat-vpn

global (outside) 5 1.1.1.11

Also, the crypto ACL for the site to site tunnel should be as follows:

access-list permit ip host 1.1.1.11 10.0.0.0 255.255.0.0

Hope that helps.

0 Helpful

Go to solution
raghavendra.pn
Level 1
Level 1
In response to raghavendra.pn

‎07-15-2011 02:39 AM

Hi Jennifer,

Thanks for the help i configured it today its working fine.

I configured the IPsec Remote vpn on the ASA.

From Remote vpn client i want to access the servers at the destination end thought site to site tunnel. Request you to please help me to configure this.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to raghavendra.pn

‎07-15-2011 05:03 AM

For remote vpn client access to the destination server, you can configure the following:

1) If you configure split tunnel for your remote vpn client, then you would need to add the destination subnet/server.

From the above example, split tunnel should include 10.0.0.0 255.255.0.0

2) Configure: same-security-traffic permit intra-interface

This is to allow traffic from vpn client to go inbound on the outside interface, and outbound through the same interface towards the destination server through the site-to-site vpn tunnel

3) Configure NAT on the outside interface for the vpn client pool as follows:

nat (outside) 5

--> the reason why i use sequence number 5 is because on the above NAT we use sequence 5, so it gets PATed to the same IP (1.1.1.11).

Hope that helps.

0 Helpful

Go to solution
raghavendra.pn
Level 1
Level 1
In response to Jennifer Halim

‎07-20-2011 05:17 AM

Hi Jennifer,

Thanks for the solution i configured as per your suggestion its working fine.

Regards,

Raghavendra

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to raghavendra.pn

‎07-20-2011 05:47 AM

Great, thanks for the update and ratings.

0 Helpful
Customers Also Viewed These Support Documents