ASA 8.x AnyConnect VPN Client VPN and Double NAT

Unanswered Question

Got a little bit of a dilemma. Wondering if anyone knows how to do the following:

Got a host connected to an ASA in a datacenter via the AnyConnect VPN Client. No problems there. Trying to reach a host behind a MonoWall NAT. The MonoWall is already NATing behind an IP that the client can reach ok but I'd like to be able to reach the host from the VPN client via the IP address behind the MonoWall. Basically, it's setup like this:

192.168.20.3 -- (MonoWall NAT)10.3.25.32 -- 10.3.25.1(router)10.3.100.1 -- 10.3.100.10(ASA) -- 10.3.251.73(AnyConnect VPNHost)

I can ping 10.3.25.32 ok. I can't ping 192.168.20.3.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
s0324681 Thu, 04/10/2008 - 13:20

The MonoWall would have to support no-nat based on access-list policy (set a rule to no-nat that host when destined to the VPN client host(s)) and then every intermediate hop would need a route to that host's no-nat address (192.168.20.3), including the ASA. Of course, there's probably a reason NAT was implemented to shield that part of the network and now it's being circumvented.

Thanks for the response, actually, it's to shield the rest of the network. By-passing NAT is not what we'd like. What I'm hoping for is for some way to change the source packet's destination to from the 192.x.x.x to the 10.x.x.x. Routing for 10.x.x.x is already in place. I'm trying to get each end point on each side to only deal with the local subnets that each end point is located in. Thanks.

Actions

This Discussion