10-04-2007 03:38 AM - edited 03-11-2019 04:20 AM
Hi,
Because same subnet are being in use between two sites local network. we have configured NAT overlap on IPSec VPN tunnel using ASA 7.0 and its working fine.
But now on site where overlap NAT has been configured, users can not access internet.if we down the vpn tunnel then global PAT works fine.
Please guide me ASAP!!
Thanks
Vikas
10-04-2007 03:53 AM
Hi Vikas
From the description you give it sounds like you need to do policy NAT ie. NAT the source ip addresses differently whether they are going down the VPN tunnel or whether they are going to the internet.
Could you give some addressing and config to clarify what you are trying to achieve.
Jon
10-04-2007 06:27 AM
Thanks Jon for the reply
here is the config, We want user from local site will access internet and and same time VPN tunnel will also works.
name 172.26.1.0 LOCAL_LAN
name 10.97.0.0 DNA-LAN
name 194.193.109.212 DNA-FW
object-group network PARKROYAL-NAT
description NATed subnet from 172.16.1.0 to 192.168.100.0 on IPSec Tunnel
network-object 192.168.100.0 255.255.255.0
object-group network DNA-LAN
description Inside LAN of the DNA subnet
network-object 10.97.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 1 LOCAL_LAN 255.255.255.0
access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN
access-list CRYPTO-DNA-VPN extended permit ip object-group PARKROYAL-NAT object-group DNA-LAN
access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.55 eq 3389
access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.56 eq 3389
access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.57 eq 3389
access-list acl-outside extended permit tcp any host 193.167.190.54 eq www
access-list acl-outside extended permit tcp any host 193.167.190.55 eq www
access-list acl-outside extended permit tcp any host 193.167.190.56 eq www
access-list acl-outside extended permit tcp any host 193.167.190.57 eq www
access-list acl-outside extended permit tcp any host 193.167.190.57 eq https
access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 1935
access-list acl-outside extended permit tcp host DNA-SER host 193.167.190.54 eq 3389
static (inside,outside) 193.167.190.55 172.16.1.4 netmask 255.255.255.255
static (inside,outside) 193.167.190.56 172.16.1.5 netmask 255.255.255.255
static (inside,outside) 193.167.190.57 172.16.1.6 netmask 255.255.255.255
static (inside,outside) 193.167.190.54 172.16.1.3 netmask 255.255.255.255
access-group acl-outside in interface outside
crypto ipsec transform-set DESMD5 esp-des esp-md5-hmac
crypto map DNAVPN 50 match address CRYPTO-DNA-VPN
crypto map DNAVPN 50 set peer DNA-FW
crypto map DNAVPN 50 set transform-set DESMD5
10-04-2007 09:19 AM
Hi
nat (inside) 2 access-list nonat
global (outside) 2 192.168.100.0 255.255.255.0
This should NAT your 172.16.1.x clients to 192.168.100.x when going down the VPN tunnel, but if going out to the internet the PAT on the outside interface should be used.
HTH
Jon
10-04-2007 09:49 AM
Hi Jon,
Thanks for reply.
Sorry i missed one line of the NAT rule.
static (inside,outside) 10.97.0.0 192.168.100.0 netmask 255.255.255.0
which nated inside subnet to 192.168.100.0 for the vpn tunnel
we already configured the PAT for the internet access.
nat (inside) 1 LOCAL_LAN 255.255.255.0
global (outside) 1 interface
10-04-2007 09:54 AM
Hi
I;m a bit confused. What is the internal network
172.16.x.x
or
10.97.0.0
either way you can still use what i sent previously ie.
access-list nonat extended permit ip LOCAL-LAN 255.255.255.0 object-group DNA-LAN
access-list nonat extended permit ip 10.97.0.0 object-group DNA_LAN
nat (inside) 2 access-list nonat
global (outside) 2 192.168.100.0 255.255.255.0
You would need to remove the static statment.
Note that the number for the NAT and global statement is 2 because you have already used 1 for the PAT.
Jon
10-15-2007 08:53 AM
Hi Jon,
I solved problem with your solution.
Extremely thankful.
10-04-2007 05:01 AM
Vikas,
The below URL should answer discusses Policy NAT, which should resolve your issue.
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1042553
Regards,
Arul
10-15-2007 08:54 AM
Hi Arul,
Good document!! clear my all problems.
Thanks
Vikas
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: