natting vpn traffic

Answered Question
Jul 1st, 2010
User Badges:

I about have my vpn set up exactly like I need it.  Users can connect to the vpn, and get a 172.16.17.0/24 ip address.  These users can then access machines hidden behind the asa on the private 172.16.16.1/24 interface.  Users on the 172.16.16.1 interface can also access any machine not on the private interface through the router using nat.  What I cannot figure out how to do is to allow the vpn users to also access any machine not on the private interface through NAT on the router as well. Help would be appreciated.


ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0

C    172.16.16.0 255.255.254.0 is directly connected, igbprivate
S    172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C    a.b.c.0 255.255.252.0 is directly connected, igbpublic
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic


access list

access-list 101 line 1 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0


nat statements in running-config

global (igbpublic) 1 interface
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I think what you are saying you want is for one VPN user to be able to access another VPN user. If that is the case then you would want to look into Hairpining. I believe this will work for you, but seeing as I am struggling with getting it to work myself I cannot help you. If you google it you may find something that will lead you in the right direction.

Daniel Davidson Thu, 07/01/2010 - 11:09
User Badges:

Nope, not that.  I have other machines that sit on the public side of this asa, and I would like to have the 172.16.17.0/24 addresses of the vpn clients to  be able to access these through nat.

Daniel Davidson Thu, 07/01/2010 - 11:24
User Badges:

I physically have machines on the public side of the asa, and the vpn users need to be able to send and receive traffic to/from them, i dont want to run a second cable to them for the private network.


Dan

Correct Answer

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

Actions

This Discussion