cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2039
Views
0
Helpful
6
Replies

Multiple NAT (DMZ) 0 Access list statement

andresitotubia
Level 1
Level 1

Hello,

Im having i problem with remote VPNs. The scenario is this:

I have i few clients that connect remotly via VPN. Untill today only one of them needed access to enter to my DMZ. But now i want another one with different profile (cause is a new client) to access to one of my server in the DMZ.

So i declared all the VPN setting, the ACL but when i want to declare the nat (dmz) 2 access-list newclient it doesnt work. But if i declare the nat (dmz) 0 access-list newclient it work BUT it delete the previous nat 0 that my other client have. There is a way to create multiple nat (dmz) 0 access-list statement ?. If not, how could i resolve this problem ?

This is my config:

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnlati extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

access-list vpnlati extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.50

ip local pool ippool 192.168.125.10-192.168.125.254
global (outside) 1 interface
global (outside) 2 200.32.97.254
nat (outside) 1 192.168.125.0 255.255.255.0
nat (inside) 0 access-list vpnas
nat (inside) 2 access-list ACL-NAT-LIM
nat (inside) 3 access-list vpnwip
nat (inside) 4 access-list vpnashi
nat (inside) 5 access-list vpnlati
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wifi) 2 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpnashi
nat (dmz) 1 192.168.16.0 255.255.255.0
nat (dmz) 2 access-list vpnlati
group-policy RA-ASHI internal
group-policy RA-ASHI attributes
dns-server value 172.16.1.100
vpn-idle-timeout 30
vpn-filter value vpnashi
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
group-policy RA-LATI internal
group-policy RA-LATI attributes
dns-server value 172.16.1.100
vpn-idle-timeout 30
vpn-filter value vpnlati
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
tunnel-group RA-ASHI type remote-access
tunnel-group RA-ASHI general-attributes
address-pool ippool
authentication-server-group (outside) partnerauth
default-group-policy RA-ASHI
tunnel-group RA-ASHI ipsec-attributes
pre-shared-key *
tunnel-group RA-LATI type remote-access
tunnel-group RA-LATI general-attributes
address-pool ippool
authentication-server-group (outside) partnerauth
default-group-policy RA-LATI
tunnel-group RA-LATI ipsec-attributes
pre-shared-key *

2 Accepted Solutions

Accepted Solutions


andre,

You can only have one NAT exempt access-list per interface (nat 0 rule).  I understand what you are trying to accomplish.  You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.

What I do is this:

Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).

Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.

It is ok to have multiple statements inside of a NAT exempt access-list.  Doing so will not allow one VPN client to have access to things it shouldn't.

For example:

access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

nat (dmz) 0 access-list nonat-dmz

View solution in original post

hi andre,

i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling

do one thing

keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling

now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need

here are the acl's you need

nonat_dmz

access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

no nat (dmz) 0 access-list vpnashi

nat (dmz) 0 access-list nonat_dmz

this should fix the issue at hand

View solution in original post

6 Replies 6

jj27
Spotlight
Spotlight

What is your access-list for your 'newclient'? What is the IP Space?


If I understand what you want to do correctly, you can just do the following.

Add more ACEs to your ACL vpnashi which is the current nat 0 access-list for the DMZ interface.

So, add the following bold configuration to your existing access-list.  Replace the red x.x.x.x with the new VPN subnet and replace y.y.y.y with the subnet mask of that subnet.

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnashi extended permit ip host 192.168.16.28 x.x.x.x y.y.y.y

access-list vpnashi extended permit ip x.x.x.x y.y.y.y host 192.168.16.28

jjohnston,

the newclient is vpnlati . vpnashi is another client and is working perfect but i dont want to create new ACEs under that one cause is a different client and i want to create differents profiles for Cisco remote VPNs.

if i put in the config:

nat (dmz) 0 access-list vpnlati  it start to work perfect but the vpnashi dessapear.

That why my question is if there is a way to add multiples nat (dmz) 0 access-list

or how could i resolve this issue.

Regards.

Amir


andre,

You can only have one NAT exempt access-list per interface (nat 0 rule).  I understand what you are trying to accomplish.  You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.

What I do is this:

Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).

Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.

It is ok to have multiple statements inside of a NAT exempt access-list.  Doing so will not allow one VPN client to have access to things it shouldn't.

For example:

access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

nat (dmz) 0 access-list nonat-dmz

hi andre,

i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling

do one thing

keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling

now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need

here are the acl's you need

nonat_dmz

access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

no nat (dmz) 0 access-list vpnashi

nat (dmz) 0 access-list nonat_dmz

this should fix the issue at hand

Thank you so much guys !!!. I create the nonat ACL and it work perfect

Glad it worked tc

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: