Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
4
Replies

VPN client nat for remote tunnel access

Bruce Reed
Level 1
Level 1

‎05-28-2013 12:32 PM

I have a L2L tunnel that provides limited access to subnets on the remote end. One of my subnets at the main site, 10.3.1.0/24 has unlimited access to a remote net (192.168.100.0/24) via ACL for the tunnel on the remote ASA. I have a new requirement to give some of our AnyConnect main site clients (using pool 10.254.1.0/24) broader access to the 192.168.100.0 network and my preference is to have these anyconnect clients masquerade as a 10.3.1.0 network client to avoid having to change anything on the remote firewall.

What sort of nat statement would be appropriate on the ASA to nat multiple vpn clients using a 10.254.1.x pool address to a single 10.3.1.x address for sending traffic across the L2L tunnel to reach hosts on the 192.168.100.0 network? The ASA still must permit access from existing, non-natted 10.3.1.0/24 hosts routed through the inside interface which routes 10.0.0.0/8. In fact, we have a nonat list that disables nat for any 10.3.1.0 hosts accessing 192.168.100.0.

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎05-28-2013 12:37 PM

Hi,

Well basicly I would say the basic NAT configuration format for the VPN Client users would be for example

nat (outside) 100 10.254.1.0 255.255.255.0

global (outside) 100 10.3.1.254

And also making sure you have

same-security-traffic permit intra-interface

So that the traffic can come from "outside" and head back "outside"

Its a totally different matter how the ASA reacts to having this IP address used as a NAT IP address there.

- Jouni

0 Helpful

Bruce Reed
Level 1
Level 1
In response to Jouni Forss

‎05-28-2013 01:01 PM

That's what I thought I needed for natting, but that will map all of my 10.154.1 anyconnect clients to 10.3.1.254 for all access, correct? That's a problem as it will give all anyconnect clients access to the 192.168.100 network since they are natting on the 10.3.1 address and I only want certain anyconnect clients to operate this way by way of vpn group policy. 

I guess I could still make the above work using more restrictive ACL for vpn clients. Today all clients get access to a http on all hosts in the 192.168.100 network by way of an ACL on the remote ASA and I would need to replicate that in my anyconnect group policy ACL restricting non priviledged clients to only have the web access and the priviledged clients to have wider access for other services.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Bruce Reed

‎05-28-2013 01:31 PM

Hi,

Are you handling the ASA to authenticate and give IP addressses to the VPN Clients? Or do you otherwise control which user gets which IP address from the VPN pool?

Or how were you going to define the users which should be able to access the remote site?

- Jouni

0 Helpful

Bruce Reed
Level 1
Level 1
In response to Jouni Forss

‎05-28-2013 01:51 PM

Yes, an ASA pool is used for the 10.254.1 block. We use radius for auth and LDAP for group check that assigns a dynamic access policy.

0 Helpful
Customers Also Viewed These Support Documents