VPN - NAT help needed

Unanswered Question
Dec 19th, 2007

This is what I have.

Internal Network: 192.168.0.0/16

Outside patted interface: 66.66.66.66

ASA5520 setup for VPN.

ASA5520 gives out IP 192.168.3.0/24

Split-tunneling is enabled and tunnels 192.168.0.0/16

In the split-tunnel list I also add a public IP 209.12.12.0/24

I connect with the VPN and get IP 192.168.3.60 which is correct.

I see that VPN has created routes for me:

192.168.3.0 / 24 via 192.168.3.60

192.168.0.0 / 16 via 192.168.3.60

209.12.12.0 / 24 via 192.168.3.60

My objective is to access 209.12.12.15 from the VPN as if it is comming from the patted (66.66.66.66) outside interface on the firewall.

Using the VPN wizard I get an exemption for any traffic to 192.168.3.0.

Keep in mind all 192.168.0.0/16 traffic uses pat for internet access.

I try accessing 209.12.12.15 on port 80 and get this.

6|Dec 19 2007|14:25:08|106015|209.12.12.15|66.66.66.66|Deny TCP (no connection) from 209.12.12.15/80 to 66.66.66.66/8699 flags ACK on interface outside

6|Dec 19 2007|14:25:06|302013|192.168.3.60|209.12.12.15|Built inbound TCP connection 224060 for outside:192.168.3.60/1275 (192.168.3.60/1275) to outside:209.12.12.15/80 (209.12.12.15/80) (user)

Is there anyway I can fix this with out disabling split-tunneling?

Do I need some natting somewherE?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 12/19/2007 - 11:51

So what you are saying is that you have something like this...

static (inside,outside) 209.12.12.15 192.168.x.x netmask 255.255.255.255

If so then you will need to do something like this to your nat exemption acl...

access-list nat0 extended deny ip host 192.168.x.x 192.168.3.0 255.255.255.0

access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 192.168.3.0 255.255.255.0

The problem is the traffic from the server to the vpn client is exempted from nat, adding the deny statement will allow it to be natted.

Actions

This Discussion