ip local pool SNAT

Unanswered Question
Jul 18th, 2008
User Badges:

Hi,


Is there a way to Masquerade incomming VPN Client POOL on the dmz interface to access the dmz net ?


I tried with dynamic policy NAT, without success.


I already use this POOL to access local LAN via VPN Client.


Is dedicated POOL a better choice ?


NB: the device is a ASA 5510 SecPus.


Cordialy,

Régis



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 07/18/2008 - 09:45
User Badges:
  • Gold, 750 points or more

Hello Regis,

"Is there a way to Masquerade incomming VPN Client POOL on the dmz interface to access the dmz net ? "

Can you explain wy do you need that?

"I already use this POOL to access local LAN via VPN Client."

That doesnt matter, you can use the same pool to access both dmz and inside. All you need is adding an exempt nat statement for dmz


access-list dmz_nat0_outbound permit ip dmzpool dmzmask vpnpool vpnmask

nat (dmz) 0 access-list dmz_nat0_outbound


Regards

regis.touvron Mon, 07/21/2008 - 01:33
User Badges:

Hello Huseyin,


I called it "dmz" interface because it is a kind of, because it is an interface with a security level between the "outside" and the "inside" interface.


But for our needs, i have to NAT all outgoing connections of this interface. It is working OK from inside zone. But I cannot get the same fonctionality for VPN POOL incomming on the outside interface.


Cordialy,

Régis

regis.touvron Mon, 07/21/2008 - 01:57
User Badges:

Hello Huseyin,


I have been able to do what i explained before.


In fact i had to do tow things :


1- put a Dynamic Nat policy on the outside interface (source IP pool, destination "dmz" network) ?!

2- And add the exempt statement as you specified (and as I used to do for other VPN client).


I don't understand why IP of VPN pool are terminating on the outside interface ?!


By the way, i was thinking that it was specified by the "Management Access" statement wich is the inside interface!


cordialy,

Régis

PS: sorry for my poor english.



husycisco Mon, 07/21/2008 - 08:15
User Badges:
  • Gold, 750 points or more

Regis,

The exempt NAT statement that I suggested is actually bidirectional, thats why you shuldn't need a Dynamic Nat policy on the outside interface.


"I don't understand why IP of VPN pool are terminating on the outside interface ?! "

There is a general misconception about VPNs that it is reffered as "extending internal network securely to outside". This also leads

some IT professionals to configure VPN pools which are in same subnet with inside network. This is wrong. VPN is generally used for establishing secure connection between trusted and untrusted networks. Establishing dynamic routing protocol connectivity, securing tftp, syslog and some other critical data within campus are also some other kinds of implementions of VPN.

After that intro, the brief answer for your question is "VPN clients are terminated on which interface you assign the crypto map, they use the IP address of the interface that crypto map is assigned".

Management access command has no relation with your issue.

Since I couldnt understand the nature of your inquiry, I cant make further suggestions, but I assume you got it sorted out.


Regards

regis.touvron Tue, 07/22/2008 - 00:04
User Badges:

Huseyin,


Thanks for these information.


The nature of my inquiry is :


Everybody connecting trough Ipsec VPN client should be seen with the IP address of the outgoing interface (ex: DMZ).


And the only way to sort it out is to do the Dynamic policy Nat on the outside interface.

The exempt NAT statement only, is not sufficient.


I'm a bit confused of this philosophy. :-)


Thanks again for your time Huseyin.


Régis

husycisco Tue, 07/22/2008 - 04:47
User Badges:
  • Gold, 750 points or more

Regis,

Thanks for clarification. Now I got the issue :)

Forget about my exempt nat statement. Here is what you have to do


access-list outside_nat_inbound permit ip vpnpool vpnmask dmznetwork dmznetmask

nat (outside) 1 access-list outside_nat_inbound outside

global (dmz) 1 interface


With above config, The VPN clients' IP addresses that are terminated at outside interface, will be translated to DMZ interface IP, if they try to reach the DMZ network.


Regards

Actions

This Discussion