05-28-2013 12:32 PM
I have a L2L tunnel that provides limited access to subnets on the remote end. One of my subnets at the main site, 10.3.1.0/24 has unlimited access to a remote net (192.168.100.0/24) via ACL for the tunnel on the remote ASA. I have a new requirement to give some of our AnyConnect main site clients (using pool 10.254.1.0/24) broader access to the 192.168.100.0 network and my preference is to have these anyconnect clients masquerade as a 10.3.1.0 network client to avoid having to change anything on the remote firewall.
What sort of nat statement would be appropriate on the ASA to nat multiple vpn clients using a 10.254.1.x pool address to a single 10.3.1.x address for sending traffic across the L2L tunnel to reach hosts on the 192.168.100.0 network? The ASA still must permit access from existing, non-natted 10.3.1.0/24 hosts routed through the inside interface which routes 10.0.0.0/8. In fact, we have a nonat list that disables nat for any 10.3.1.0 hosts accessing 192.168.100.0.
05-28-2013 12:37 PM
Hi,
Well basicly I would say the basic NAT configuration format for the VPN Client users would be for example
nat (outside) 100 10.254.1.0 255.255.255.0
global (outside) 100 10.3.1.254
And also making sure you have
same-security-traffic permit intra-interface
So that the traffic can come from "outside" and head back "outside"
Its a totally different matter how the ASA reacts to having this IP address used as a NAT IP address there.
- Jouni
05-28-2013 01:01 PM
That's what I thought I needed for natting, but that will map all of my 10.154.1 anyconnect clients to 10.3.1.254 for all access, correct? That's a problem as it will give all anyconnect clients access to the 192.168.100 network since they are natting on the 10.3.1 address and I only want certain anyconnect clients to operate this way by way of vpn group policy.
I guess I could still make the above work using more restrictive ACL for vpn clients. Today all clients get access to a http on all hosts in the 192.168.100 network by way of an ACL on the remote ASA and I would need to replicate that in my anyconnect group policy ACL restricting non priviledged clients to only have the web access and the priviledged clients to have wider access for other services.
05-28-2013 01:31 PM
Hi,
Are you handling the ASA to authenticate and give IP addressses to the VPN Clients? Or do you otherwise control which user gets which IP address from the VPN pool?
Or how were you going to define the users which should be able to access the remote site?
- Jouni
05-28-2013 01:51 PM
Yes, an ASA pool is used for the 10.254.1 block. We use radius for auth and LDAP for group check that assigns a dynamic access policy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide