Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
1
Replies

Configuring PAT over VPN Tunnel to access a hosted APP

klmauldin2008
Level 1
Level 1

‎11-04-2009 12:34 PM

Hey ya'll,

Can anyone please provide direction on how to successfully PAT the plethora of 10.0.0.0 /24 subnets I have onsite to a predetermined 172.x.x.x address for access specifically destined to a hosted web server via a Site-To-Site VPN tunnel? I am uncertain as to how to properly PAT the private address through the tunnel without inadvertently sending all users to the tunnel.

Here are the details:

-Users need access to a Time/Attendance hosted application accessible only via a secure site-to-site tunnel via https://x.x.x.x website

-The application is hosted by a 3rd party vendor and their requirement is to “hide users” (source IPs 10.0.0.0 /24) behind a designated PAT'd address (172.x.x.x)

-Cisco ASA 5540 ver. 8.0

-permit port 443

Ultimately, the ACL will look like:

IP access-list extended ABC-crypto

Permit ip host (website URL IP ADDRESSx.x.x.x) host 172.x.x.x

Any assistance is GREATLY appreciated

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎11-04-2009 11:39 PM

It may depend on what kind of NAT config you already have (e.g. for the same clients connecting to the internet I suppose you already have a nat/global pair) but you'll need something like this:

access-list PAT-172 permit 10.0.0.0 255.0.0.0 host x.x.x.x

nat (inside) 1 access-list PAT-172

global (outside) 1 172.x.x.x

What this says is "for all traffic matching the ACL PAT-172, and going from inside to outside, PAT the source to 172.x.x.x".

I hope this helps

Herbert

0 Helpful
Customers Also Viewed These Support Documents