Can ASA setup NAT for vpn local pool

Answered Question
Jun 1st, 2010

We have one remote ipsec tunnel group, the clients' address pool use 172.18.33.0/24 which setup from "ip local pool" command. The remote cliens have to use full ipsec tunnel.

Due to ip overlap or route issue, we would like NAT this local pool from 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain subnet or servers through ASA's outside interface.  From what I understan the nat command mapping address from one interface to another interface. The vpn local pool doesn't behind any ASA physical interface. My question is can ASA setup policy NAT for vpn local pool.  If yes, how to setup this NAT.

Thanks

Haiying

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Haiying,

access-list NAT_VPNClients permit ip 172.18.33.0 255.255.255.0 10.1.1.0 255.255.255.0

static (outside,outside) 192.168.33.0 access-list NAT_VPNClients

The above configuration will NAT 172.18.33.0/24 to 192.168.33.0/24 when going to 10.1.1.0/24  (assuming 10.1.1.0/24 is your servers subnet).

To allow the ASA to redirect traffic backout the same interface in which it receive it you also need the command:

same-security-traffic permit intra-interface

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 06/01/2010 - 12:40

Hi,

So the VPN clients will receive an IP from 172.18.33.0/24 but you want to NAT it to 192.168.3.0/24 correct?

Just a question...

Why don't just remove the pool and re-add it with the new range that you want to use?

Federico.

haiyingwei Tue, 06/01/2010 - 13:55

Federico

Thanks for your reply!

Yes, we want 172.18.33.0 nat to 192.168.3.0 when vpn clients access certain servers through asa outside interface. I am not sure if policy NAT can do this for vpn local pool.

Due to complicated routing and other reason, we can't remove 172.18.33.0 ip range from vpn local pool.

Haiying

Correct Answer
Federico Coto F... Tue, 06/01/2010 - 16:55

Haiying,

access-list NAT_VPNClients permit ip 172.18.33.0 255.255.255.0 10.1.1.0 255.255.255.0

static (outside,outside) 192.168.33.0 access-list NAT_VPNClients

The above configuration will NAT 172.18.33.0/24 to 192.168.33.0/24 when going to 10.1.1.0/24  (assuming 10.1.1.0/24 is your servers subnet).

To allow the ASA to redirect traffic backout the same interface in which it receive it you also need the command:

same-security-traffic permit intra-interface

Federico.

haiyingwei Wed, 06/02/2010 - 08:26

Federico;

I just did test with these static command.  It works perfect as we want.

Thanks very much for your help!

Haiying

Federico Coto F... Wed, 06/02/2010 - 08:34

Haiying,

I'm very glad to hear that is working.

If you find the threat helpful please rate it and mark it as answered for future searches.

Cheers,

Federico.

Actions

This Discussion