08-24-2009 11:43 PM
Hello All,
I have a problem.
I would like to perform the following on one ASA.
I have users that need to get to our company remotely so I have set up Remote access VPN for them and this works fine.
Now we have a customer that requires these people to access thier equipment for remote diagnostics.
This company has provided us with an IP address that we must use when trying to reach thier network so I will have to NAT(PAT) our VPN users IP addresses to the single IP from our customer. The link to this customer (IPSec) runs from the SAME ASA as the Remote VPN users.
so to give a short description of what I am trying to do - here it is again
Remote user -> Outside interface -> NAT/PAT -> Outside interface -> IPSec tunnel to customer.
Is this possible ? I have not managed to configure this in any way shape or form. Although I do have other IPSec tunnels ending on the ASA that do not use NATting and these are reachable for the remote users - so basically my problem is with the NAT/PAT bit....
I have also thought of doing this over 2 ASA's. check my diagram out and tell me what you think....
Please help
Solved! Go to Solution.
08-25-2009 02:39 AM
Have you tried:-
1) Same security interface routing - not required (viewed the diagram)
2) Policy-bases NAT - src/dst for VPN?, this will work.
HTH>
08-27-2009 01:09 AM
You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.
You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.
08-25-2009 02:39 AM
Have you tried:-
1) Same security interface routing - not required (viewed the diagram)
2) Policy-bases NAT - src/dst for VPN?, this will work.
HTH>
08-25-2009 01:23 PM
so with only 1 ASA I then have the outside interface for both the remote usersd and the customer VPN.
I also have a DMZ where the same IP address range is used as with the remote users.
Do I then attach the Policy NAT to the Outside Interface or to this DMZ ?
I Don't want to mess around too much as this is live.......
Thanks for your help so far Andrew
08-26-2009 12:17 AM
Sorry now I am confused - on your diagram the ASA that connects to the HQ has an inside IP of 10.10.11.1/30
The ASA that connects to remote VPN users has an inside IP of 10.0.0.1/24
Both devices has different IP outside IP addresses - how is this possibly 1 device? unless you are running multiple contexts - in which case this will never work.
08-26-2009 09:54 PM
Andrew - my diagram is what I reckon I have to do.
But what I would LIKE to do is everything on 1 ASA.
I have done a quick Drawing of what I would like - hope it is easier to understand.
Remote user comes in on the outside interface.
The remote user IP gets N/PATted
The NATted IP is then allowed to traverse the VPN to the Customer HQ.
Can this work on 1 ASA ?
ie
Remote user IP 10.0.0.1
Gets N/PATted to 10.1.0.1
Then it is allowed to reach 10.10.0.1 at customer HQ over the VPN.
Otherwise I will have to build up what I have on the Diagram
08-27-2009 12:29 AM
Yep - I see no obvious reason why you cannot do this.
You will need to used specific acl's for the policy based nat, also allow the same security interface traffic - but other than that it's very dooable.
HTH>
08-27-2009 12:53 AM
Thanks Andrew !
Just one more Question - for the Customer VPN ACL I reckon I put the NATted address as source , right ? and not the Original remote VPN IP....
Or two....The Dynamic Policy NAT ACL would then be Source Pre NAT remoite user IP and Cust IP as dest right ?
then this should work......
I also have
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
already in the config - this is what you meant right ?
08-27-2009 01:09 AM
You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.
You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.
08-27-2009 01:29 AM
Thanks Andrew !
08-27-2009 01:36 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide