cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8322
Views
10
Helpful
14
Replies

ASA 8.4 nonat of vpn pool

tato386
Level 6
Level 6

I am using a range of IPs from my inside LAN for my IPSec VPN clients.  For example my inside network is 172.16.1.0/24 and I have a pool setup like this:  ip local pool vpnpool 172.16.1.200-172.16.1.210 mask 255.255.255.0.

Before the upgrade to 8.4 it was working and now it isn't.  Clients can connect and pickup and IP but can't cominuicate with the inside LAN.  I think I have to do manual NAT to nonat this range.  So I want to try the following:

object network obj-vpnpool
  range 172.16.1.200 172.16.1.210
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

However there are two things preventing me from doing this:

1) When I try to create obj-vpnpool I get an error stating that this object overlaps with local pool

2) Even if I create the obj-vpnpool with a non-overlapping range, when in the VPN config I don't have an option for selecting obj-vpnpool.

Any ideas?

Thanks,

Diego

2 Accepted Solutions

Accepted Solutions

sorry, i don't understand, how is configuring a unique subnet causes overlapping? it should be unique, so it shouldn't overlap.

Eg:

ip local pool vpnpool 192.168.1.200-192.168.1.210 mask 255.255.255.0

object network obj-lan

  subnet 172.16.1.0 255.255.255.0

object network obj-vpnpool
  subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-lan obj-lan destination static obj-vpnpool obj-vpnpool

View solution in original post

object network dhclpvpn-pool

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static dhclpvpn-pool dhclpvpn-pool

*Note: Due to bug CSCtf89372, I use the "1" in the command above to put  the nat exemption statement at the top of all my nat statements

View solution in original post

14 Replies 14

Jennifer Halim
Cisco Employee
Cisco Employee

ip pool should be unique and not in the same subnet as the LAN subnet.

Pls make the necessary change on the ip pool to be on a unique subnet and make the changes on the NAT exemption, and it should resolve your issue.

I can do that but I don't see how that will help.  If I use a unique subnet I will still have the problem of the network object overlapping the vpnpool.  If it overlaps then I won't be able to exclude it from NAT. And if I create a new network object I won't be able to add it to the VPN policy.  So I would still have both problems.

Besides it was working pre 8.4 upgrade.  I don't think this is a routing issue.  I believe it is a NAT issue.

sorry, i don't understand, how is configuring a unique subnet causes overlapping? it should be unique, so it shouldn't overlap.

Eg:

ip local pool vpnpool 192.168.1.200-192.168.1.210 mask 255.255.255.0

object network obj-lan

  subnet 172.16.1.0 255.255.255.0

object network obj-vpnpool
  subnet 192.168.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-lan obj-lan destination static obj-vpnpool obj-vpnpool

I think I got the overlap when I tried to create the object using range rather than subnet.  Let me try your suggestion and I will let you know.

Thanks,

Diego

OK, tried your suggestions but still no joy.  I did a packet tracer and it shows that packets going from Inside to VPN are being NATed by the PAT.  Here is current config.

ip local pool VPN1 192.168.72.1-192.168.72.254 mask 255.255.255.0

object network VPNSubnet
subnet 192.168.72.0 255.255.255.0
object network InsideSubnet
subnet 10.72.160.0 255.255.255.0

nat (inside,Fiber) source static InsideSubnet InsideSubnet destination static VPNSubnet VPNSubnet no-proxy-arp route-lookup

nat (inside,Fiber) source dynamic any interface

Manual NAT Policies (Section 1)
1 (inside) to (Fiber) source static InsideSubnet InsideSubnet   destination static VPNSubnet VPNSubnet no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 9
2 (inside) to (Fiber) source dynamic any interface
    translate_hits = 335237, untranslate_hits = 28444

Did you "clear xlate" after making the changes?

Also, can you try from the VPN Client itself.

object network dhclpvpn-pool

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static dhclpvpn-pool dhclpvpn-pool

*Note: Due to bug CSCtf89372, I use the "1" in the command above to put  the nat exemption statement at the top of all my nat statements

Seems like I got it working.  Not sure if it was that I missed the "1" in the Identity NAT command or maybe I needed to do a "clear xlate".

Anyhow, how can I take this a step further.  I would like to make sure that no private IP to private IP combination gets NATed.  This would mean any combination of source-destination that includes 192.168.0.0/16 or 10.0.0.0/8.

Is there a simple way to do this?

Thanks,

Diego

Can you please advise the interface that each subnet is connected to and also the security level of those interfaces.

I have about one dozen private networks all behind interface "inside" at security level 100.  I plan to have VPN tunnels going out thru two interfaces called "outside1" and "outside2" at security level 0 to several other private networks.  In the past I have used an ACL with all the combinations of source and destination using the 192.168.0.0/16 and 10.0.0.0/8 IP ranges.  I would like to mimic that with the new NAT architecture so that I don't have to edit objects or ACL when a new private subnet is connected to our VPN WAN.

Thanks,

Diego

You can create an object-group and keep on adding the object to the object-group within your NAT configuration.

Eg:

object network obj-10.10.10.0

   subnet 10.10.10.0 255.255.255.0

object network obj-192.168.10.0

   subnet 192.168.10.0 255.255.255.0

object-group network local-vpn-group

   network-object object obj-10.10.10.0

object-group network remote-vpn-group

   network-object object obj-192.168.10.0

nat (inside,outside) static source local-vpn-group local-vpn-group static destination remote-vpn-group remote-vpn-group

say for example you need to add 10.10.20.0/24 for the local subnet, you can just add the following:

object network obj-10.10.20.0

   subnet 10.10.20.0 255.255.255.0

object-group network local-vpn-group

   network-object object obj-10.10.20.0

Oh BTW, you can't have 2 default routes pointing towards 2 different interfaces. This is not supported on the ASA. If this ASA is just for LAN-to-LAN VPN, you can configure 1 default route towards Outside1 for example, and configure static routes towards Outside2 (just have to add the peer address and remote vpn subnets in the static routes towards Outside2 for example).

Hope that helps.

I was thinking something a little more comprehensive.  What do you think of something like this:

object network PrivateNet_172_16
subnet 172.16.0.0 255.240.0.0

object network PrivateNet_10
subnet 10.0.0.0 255.0.0.0

object network PrivateNet_192_168
subnet 192.168.0.0 255.255.0.0

object-group network Private_Networks
network-object object PrivateNet_10
network-object object PrivateNet_172_16
network-object object PrivateNet_192_168

nat (inside,outside) source static Private_Networks Private_Networks destination static Private_Networks Private_Networks

Think it would work?

Thanks,

Diego

I would stir away from having the same subnet for source and destination. It is better to configure specific subnet for each source and destination.

I will be using about a dozen private-net to private-net tunnels initially and then adding more as time goes by.   I just wanted to keep the config as clean and clutter free as possible and take care of all the different combinations with as few commands as possible.

Thanks for all your help and advice.

Rgds,

Diego

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: