Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
0
Helpful
4
Replies

Cisco ASA 5505 - NAT over a VPN

rhh_bytron
Level 1
Level 1

‎07-09-2008 02:09 AM - edited ‎02-21-2020 02:54 AM

Dear all,

I've been trying to configure a Cisco ASA 5505 to connect to a remote VPN. Once connected all traffic should then present itself from one IP over the VPN using NAT. I have two VLANs called inside and outside. The inside IP is 192.168.20.0/24, the outside is 217.XX.XX.XX. NAT is enable but refuses to work over the VPN. The ASA5505 trace path facility shows the VPN thinks itx exempt from the NAT rule, why?

I want all traffic to present itself as 192.168.20.210.

I would also like to say I know next nothing about Cisco routers. This is the first one I've configured; therefore, some of my settings may be way off the mark.

Thanks

Preview file
3 KB
0 Helpful
4 Replies 4

a.alekseev
Level 7
Level 7

‎07-09-2008 06:31 AM

you have "vpnclient mode network-extension-mode"

use instead "vpnclient mode client"

0 Helpful

rhh_bytron
Level 1
Level 1
In response to a.alekseev

‎07-09-2008 12:47 PM

I have made the change, but my VPN traffic still has the wrong NAT IP.

0 Helpful

ggilbert
Cisco Employee
Cisco Employee

‎07-09-2008 06:48 AM

Hello,

Just like the previous person said, you can use vpnclient mode as client and turn of NEM. But here is the issue.

You have to assign a different address pool to the EzVPN client (in this case your ASA 5505) not the same as its internal network. So, it should be something like 192.168.10.x.

Rate this post if it helps.

Thanks

0 Helpful

rhh_bytron
Level 1
Level 1
In response to ggilbert

‎07-09-2008 12:46 PM

Apologies, but I made a mistake on my first post.

The VPN connects to a server and gets assigned an IP of 172.18.234.225. This IP differs from my inside and outside interfaces. I have been asked to ensure all traffic down the VPN is NAT'd, using 172.18.234.225 as the NAT address. The tech guys of the VPN server I connect to keep saying that my IP is showing as 192.168.20.XXX (My internal address); hence, all my traffic is blocked by their system.

The NAT line someone suggested is:

static (inside,outside) 172.18.234.225 192.168.20.XXX netmask 255.255.255.255

Although, when I run the following command:

show vpnclient detail

I get the following

----------------------------------

LOCAL CONFIGURATION

vpnclient server 193.XX.XX.XX

vpnclient mode client-mode

vpnclient vpngroup GROUP1 password ********

vpnclient username GROUP password ********

vpnclient enable

MISCELLANEOUS INFORMATION

- Key exchange is based on Pre-Shared Key

- Traffic from, or through Cisco Easy VPN Remote will initiate a connection

attempt.

STORED POLICY

Secure Unit Authentication Enabled : Policy not stored

Split Tunnel Networks : None

Backup Servers : None

RELATED CONFIGURATION

nat (inside) 0 access-list _vpnc_nwp_acl

access-list _vpnc_nwp_acl extended permit ip any any

aaa authentication match _vpnc_nwp_acl inside _vpnc_nwp_server

aaa authentication match _vpnc_nwp_acl _internal_loopback _vpnc_nwp_server

crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac

----------------------------------

The line that concerns me is:

nat (inside) 0 access-list _vpnc_nwp_acl

I believe that is saying my VPN traffic bypasses the NAT rules. This line does not show when I run show run.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card