Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
9
Replies

trying to perform multi tasks on one ASA

Go to solution
Fraser Reid
Level 1
Level 1

‎08-24-2009 11:43 PM

Hello All,

I have a problem.

I would like to perform the following on one ASA.

I have users that need to get to our company remotely so I have set up Remote access VPN for them and this works fine.

Now we have a customer that requires these people to access thier equipment for remote diagnostics.

This company has provided us with an IP address that we must use when trying to reach thier network so I will have to NAT(PAT) our VPN users IP addresses to the single IP from our customer. The link to this customer (IPSec) runs from the SAME ASA as the Remote VPN users.

so to give a short description of what I am trying to do - here it is again

Remote user -> Outside interface -> NAT/PAT -> Outside interface -> IPSec tunnel to customer.

Is this possible ? I have not managed to configure this in any way shape or form. Although I do have other IPSec tunnels ending on the ASA that do not use NATting and these are reachable for the remote users - so basically my problem is with the NAT/PAT bit....

I have also thought of doing this over 2 ASA's. check my diagram out and tell me what you think....

Please help

Labels:
26775-Cisco Netpro Diagram.VSD
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎08-25-2009 02:39 AM

Have you tried:-

1) Same security interface routing - not required (viewed the diagram)

2) Policy-bases NAT - src/dst for VPN?, this will work.

HTH>

View solution in original post

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Fraser Reid

‎08-27-2009 01:09 AM

You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.

You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
andrew.prince
Level 10
Level 10

‎08-25-2009 02:39 AM

Have you tried:-

1) Same security interface routing - not required (viewed the diagram)

2) Policy-bases NAT - src/dst for VPN?, this will work.

HTH>

0 Helpful

Go to solution
Fraser Reid
Level 1
Level 1
In response to andrew.prince

‎08-25-2009 01:23 PM

so with only 1 ASA I then have the outside interface for both the remote usersd and the customer VPN.

I also have a DMZ where the same IP address range is used as with the remote users.

Do I then attach the Policy NAT to the Outside Interface or to this DMZ ?

I Don't want to mess around too much as this is live.......

Thanks for your help so far Andrew

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Fraser Reid

‎08-26-2009 12:17 AM

Sorry now I am confused - on your diagram the ASA that connects to the HQ has an inside IP of 10.10.11.1/30

The ASA that connects to remote VPN users has an inside IP of 10.0.0.1/24

Both devices has different IP outside IP addresses - how is this possibly 1 device? unless you are running multiple contexts - in which case this will never work.

0 Helpful

Go to solution
Fraser Reid
Level 1
Level 1
In response to andrew.prince

‎08-26-2009 09:54 PM

Andrew - my diagram is what I reckon I have to do.

But what I would LIKE to do is everything on 1 ASA.

I have done a quick Drawing of what I would like - hope it is easier to understand.

Remote user comes in on the outside interface.

The remote user IP gets N/PATted

The NATted IP is then allowed to traverse the VPN to the Customer HQ.

Can this work on 1 ASA ?

ie

Remote user IP 10.0.0.1

Gets N/PATted to 10.1.0.1

Then it is allowed to reach 10.10.0.1 at customer HQ over the VPN.

Otherwise I will have to build up what I have on the Diagram

104 KB
0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Fraser Reid

‎08-27-2009 12:29 AM

Yep - I see no obvious reason why you cannot do this.

You will need to used specific acl's for the policy based nat, also allow the same security interface traffic - but other than that it's very dooable.

HTH>

0 Helpful

Go to solution
Fraser Reid
Level 1
Level 1
In response to andrew.prince

‎08-27-2009 12:53 AM

Thanks Andrew !

Just one more Question - for the Customer VPN ACL I reckon I put the NATted address as source , right ? and not the Original remote VPN IP....

Or two....The Dynamic Policy NAT ACL would then be Source Pre NAT remoite user IP and Cust IP as dest right ?

then this should work......

I also have

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

already in the config - this is what you meant right ?

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Fraser Reid

‎08-27-2009 01:09 AM

You would need a dynamic NAT for VPN client IP's to the HQ IP subnet.

You will also need a no-nat on that as well - and lastly you will need to add the NAT address of the VPN IP subnet to the encryption domains to the HQ VPN, they also need the NAT address on the remote end.

0 Helpful

Go to solution
Fraser Reid
Level 1
Level 1
In response to andrew.prince

‎08-27-2009 01:29 AM

Thanks Andrew !

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Fraser Reid

‎08-27-2009 01:36 AM

np - glad to help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents