cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
716
Views
0
Helpful
8
Replies

natting vpn traffic

Daniel Davidson
Level 1
Level 1

I about have my vpn set up exactly like I need it.  Users can connect to the vpn, and get a 172.16.17.0/24 ip address.  These users can then access machines hidden behind the asa on the private 172.16.16.1/24 interface.  Users on the 172.16.16.1 interface can also access any machine not on the private interface through the router using nat.  What I cannot figure out how to do is to allow the vpn users to also access any machine not on the private interface through NAT on the router as well. Help would be appreciated.

ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0

C    172.16.16.0 255.255.254.0 is directly connected, igbprivate
S    172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C    a.b.c.0 255.255.252.0 is directly connected, igbpublic
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic

access list

access-list 101 line 1 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

nat statements in running-config

global (igbpublic) 1 interface
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0

1 Accepted Solution

Accepted Solutions

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

View solution in original post

8 Replies 8

mishap
Level 1
Level 1

I think what you are saying you want is for one VPN user to be able to access another VPN user. If that is the case then you would want to look into Hairpining. I believe this will work for you, but seeing as I am struggling with getting it to work myself I cannot help you. If you google it you may find something that will lead you in the right direction.

Nope, not that.  I have other machines that sit on the public side of this asa, and I would like to have the 172.16.17.0/24 addresses of the vpn clients to  be able to access these through nat.

Are they physically on the other side of the ASA or are you just trying to access the Public names of machines actually located on the internal network?

I physically have machines on the public side of the asa, and the vpn users need to be able to send and receive traffic to/from them, i dont want to run a second cable to them for the private network.

Dan

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

This comment along with:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

was enough to get me going.  Essentially i needed the two commands:

same-security-traffic permit intra-interface

nat (igbpublic) 1 172.16.17.0 255.255.255.0

then it roared to life.  Thanks for the help.

Dan

No Problem, glad I could help.

I thought you would like to know between your commands and the link you posted I was finally able to wrap my head around what was supposed to happen. Then with a little more fiddling I was able to adapt that to 8.3. Thanks for posting a detailed resolution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: