Can ASA setup NAT for vpn local pool

Answered Question
Jun 1st, 2010
User Badges:

We have one remote ipsec tunnel group, the clients' address pool use 172.18.33.0/24 which setup from "ip local pool" command. The remote cliens have to use full ipsec tunnel.

Due to ip overlap or route issue, we would like NAT this local pool from 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain subnet or servers through ASA's outside interface.  From what I understan the nat command mapping address from one interface to another interface. The vpn local pool doesn't behind any ASA physical interface. My question is can ASA setup policy NAT for vpn local pool.  If yes, how to setup this NAT.


Thanks

Haiying

Correct Answer by Federico Coto F... about 7 years 3 weeks ago

Haiying,


access-list NAT_VPNClients permit ip 172.18.33.0 255.255.255.0 10.1.1.0 255.255.255.0

static (outside,outside) 192.168.33.0 access-list NAT_VPNClients


The above configuration will NAT 172.18.33.0/24 to 192.168.33.0/24 when going to 10.1.1.0/24  (assuming 10.1.1.0/24 is your servers subnet).


To allow the ASA to redirect traffic backout the same interface in which it receive it you also need the command:

same-security-traffic permit intra-interface


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 06/01/2010 - 12:40
User Badges:
  • Green, 3000 points or more

Hi,


So the VPN clients will receive an IP from 172.18.33.0/24 but you want to NAT it to 192.168.3.0/24 correct?


Just a question...

Why don't just remove the pool and re-add it with the new range that you want to use?


Federico.

haiyingwei Tue, 06/01/2010 - 13:55
User Badges:

Federico


Thanks for your reply!


Yes, we want 172.18.33.0 nat to 192.168.3.0 when vpn clients access certain servers through asa outside interface. I am not sure if policy NAT can do this for vpn local pool.


Due to complicated routing and other reason, we can't remove 172.18.33.0 ip range from vpn local pool.


Haiying

Correct Answer
Federico Coto F... Tue, 06/01/2010 - 16:55
User Badges:
  • Green, 3000 points or more

Haiying,


access-list NAT_VPNClients permit ip 172.18.33.0 255.255.255.0 10.1.1.0 255.255.255.0

static (outside,outside) 192.168.33.0 access-list NAT_VPNClients


The above configuration will NAT 172.18.33.0/24 to 192.168.33.0/24 when going to 10.1.1.0/24  (assuming 10.1.1.0/24 is your servers subnet).


To allow the ASA to redirect traffic backout the same interface in which it receive it you also need the command:

same-security-traffic permit intra-interface


Federico.

haiyingwei Wed, 06/02/2010 - 08:26
User Badges:

Federico;


I just did test with these static command.  It works perfect as we want.


Thanks very much for your help!


Haiying

Federico Coto F... Wed, 06/02/2010 - 08:34
User Badges:
  • Green, 3000 points or more

Haiying,


I'm very glad to hear that is working.

If you find the threat helpful please rate it and mark it as answered for future searches.


Cheers,


Federico.

Actions

This Discussion