Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
2
Replies

VPN user can't access Site-to-Site IPsec tunnel because of NAT

foundationis
Level 1
Level 1

‎04-28-2010 08:55 AM - edited ‎02-21-2020 04:37 PM

Hey everyone (IP addresses have been changed to protect the innocent),

we have a site-to-site tunnel setup for a SaaS. The tunnel works by NATing our outgoing IP address to one owned by the SaaS company.

example:

User sits at 192.168.3.200. If they go to the internet, they get NATed with an outbound address of 74.54.8.8. If they need to access the SaaS application at 130.249.37.84, they are given a NATed address of 186.126.124.32

The problem is happening at the VPN user. A VPN user will log in (192.168.5.10), Split Tunneling is setup correctly so they can access the site,  same-security-traffic permit intra-interface has been configured on the ASA, and the Dynamic Policy for NAT has been setup for 192.168.0.0/16 for the 130.249.37.84 network.

When I read the debugging log viewer, I can see that internal clients (192.168.3.200) get:

Built outbound TCP connection 34563 for outside:130.249.37.84/80 (130.249.37.84/80) to inside:192.168.3.200/4500 (186.126.124.32/52287)

When a VPN user logs on and tries to access the site I get:

Built inbound TCP connection38524 for outside:192.168.5.10/3574 (192.168.5.10/3573) to outside:130.249.37.84/80 (130.249.37.84/80) username

How can I get the VPN user to get the NATed address to access the SaaS?

Thanks!

Labels:
0 Helpful
2 Replies 2

droeun141
Level 1
Level 1

‎04-28-2010 09:44 AM

Can you upload the config?

0 Helpful

foundationis
Level 1
Level 1
In response to droeun141

‎04-28-2010 11:06 AM

here ya go. alot of this is taken care of in ASDM so prepare for a mess. all IP addresses have been changed to match the ones in the thread.

thanks!

63886-running-config_IPs_removed.txt.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents