Need help in figuring out how to setup anyconnect VPN with VPN client NATed into internal network.
There're a lot articles about opposite - how to disable NAT for vpn pool.
I need to create VPN gateway to complex interna lnetwork, vpnpool is out of regular subnet range of that network, so it'll be routing issues witout NAT.
So I need vpn clients connected to <outside> to be PATed to <inside>. The problem is that there's also dynamic PAT rule from <inside> to <outside> for regular Iternet acccess which results in "Asymetric NAT rules..." error.
Creating different Twice NAT rules and moving them on top/bottom doesn't make any difference. There're also some hidden rules from vpn setup :-( which couldn't be seen.
v8.3 seems is trying to destroy confidence in Cisco firewalls...
Something like this works for me.
192.168.0.0/24 --- Router -- 172.16.0.0/24 ----ASA ==== cloud ==== Host. (inside the tunnel it get IP address from "over" pool, which is also Connected on inside)
bsns-asa5520-10(config)# clear xlate
INFO: 762 xlates deleted
bsns-asa5520-10(config)# sh run nat
nat (inside,outside) source static any any destination static SHARED SHARED
nat (inside,outside) after-auto source dynamic any interface
bsns-asa5520-10(config)# sh run object network
object network LOCAL_NETWORK
subnet 192.168.0.0 255.255.255.0
object network SHARED
subnet 172.16.0.0 255.255.255.0
bsns-asa5520-10(config)# sh run ip local pool
ip local pool ANY 10.0.0.100-10.0.0.200
ip local pool OVER 172.16.0.100-172.16.0.155
bsns-asa5520-10(config)# sh run tunne
bsns-asa5520-10(config)# sh run tunnel-group
tunnel-group DefaultWEBVPNGroup general-attributes
If I catch your drift ... bridging inside and outside is not really needed on Cisco equipment as it should work via proxy arp straight out of the box, but I'm not faimilar with neither of vendors' solution for remote access.