Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..
RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought
Do a conditional NAT for 172.5.x.0 network to subinterface ip by adding following. Subinterface has security level of 3, and outside has 0.
access-list 101 permit ip 172.5.x.0 255.255.255.0 <remote LAN> <remote mask>
nat (inside) 10 access-list 101
global (subinterface) 10 interface
And I get
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Should I type
nat (outside) 5 172.5.x.0 255.255.255.0 outside
Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.
I used packet-trace and watched a packet from 172.5.x to remote lan but it does not walk through my conditional NAT. It first goes through the route
route subinterface remotelan remotemask subintgateway
then instead walking through condit NAT, it walks through outside route and I get
6 Oct 19 2007 19:49:01 109025 172.5.x.88 x.175.x.193 Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP
Any help is much appreciated
I dont want permit same security traffic
You should first try command "nat (outside) 5 172.5.x.0 255.255.255.0 outside" and if this is not working then you can change the security level of outside to 1 and subinterface to 0. Other workaround could be to configure hairpinning on the ASA.