trying to perform multi tasks on one ASA

Answered Question
Aug 24th, 2009
User Badges:

Hello All,

I have a problem.

I would like to perform the following on one ASA.

I have users that need to get to our company remotely so I have set up Remote access VPN for them and this works fine.

Now we have a customer that requires these people to access thier equipment for remote diagnostics.

This company has provided us with an IP address that we must use when trying to reach thier network so I will have to NAT(PAT) our VPN users IP addresses to the single IP from our customer. The link to this customer (IPSec) runs from the SAME ASA as the Remote VPN users.

so to give a short description of what I am trying to do - here it is again

Remote user -> Outside interface -> NAT/PAT -> Outside interface -> IPSec tunnel to customer.

Is this possible ? I have not managed to configure this in any way shape or form. Although I do have other IPSec tunnels ending on the ASA that do not use NATting and these are reachable for the remote users - so basically my problem is with the NAT/PAT bit....

I have also thought of doing this over 2 ASA's. check my diagram out and tell me what you think....

Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Fraser Reid Tue, 08/25/2009 - 13:23
User Badges:

so with only 1 ASA I then have the outside interface for both the remote usersd and the customer VPN.

I also have a DMZ where the same IP address range is used as with the remote users.

Do I then attach the Policy NAT to the Outside Interface or to this DMZ ?

I Don't want to mess around too much as this is live.......

Thanks for your help so far Andrew

Sorry now I am confused - on your diagram the ASA that connects to the HQ has an inside IP of

The ASA that connects to remote VPN users has an inside IP of

Both devices has different IP outside IP addresses - how is this possibly 1 device? unless you are running multiple contexts - in which case this will never work.

Fraser Reid Wed, 08/26/2009 - 21:54
User Badges:

Andrew - my diagram is what I reckon I have to do.

But what I would LIKE to do is everything on 1 ASA.

I have done a quick Drawing of what I would like - hope it is easier to understand.

Remote user comes in on the outside interface.

The remote user IP gets N/PATted

The NATted IP is then allowed to traverse the VPN to the Customer HQ.

Can this work on 1 ASA ?


Remote user IP

Gets N/PATted to

Then it is allowed to reach at customer HQ over the VPN.

Otherwise I will have to build up what I have on the Diagram

Fraser Reid Thu, 08/27/2009 - 00:53
User Badges:

Thanks Andrew !

Just one more Question - for the Customer VPN ACL I reckon I put the NATted address as source , right ? and not the Original remote VPN IP....

Or two....The Dynamic Policy NAT ACL would then be Source Pre NAT remoite user IP and Cust IP as dest right ?

then this should work......

I also have

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

already in the config - this is what you meant right ?

Correct Answer

You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.

You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.


This Discussion