cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1464
Views
0
Helpful
6
Replies

ASDM through IPsec-Tunnel with Nat?

frederic_hohn
Level 1
Level 1

Hello together,

perhaps somebody had the same problem and found a way to solve it.

We access our customer-networks over IPsec-Tunnel with D-Nat:

Our Site is hidden behind a single Address (Service-Pat), the remote sites are accessed over /27 networks,

which host-addresses (D-Nat1, ...) are translated to the servers (Server1,...) we need to access.

        Nat on customer ASA (8.3):

nat (any,any) source static Service-Pat Service-PAT destination static D-NAT1 Server1 unidirectional

Unfortunately, i can´t access the ASA on the customer site using this NAT.

Regardless on which address the NAT is used (ASA Inteface-Adresses, Loopback) it´s not possible to use CLI or ASDM.

The Log show´s only the normal NAT-Translation like when i access one of the Servers behind the ASA, no error - but the Session is refused.

It´s only possible to access the firewall from an inside host.

Is there a way to access to ASDM/CLI using the destination nat?

6 Replies 6

andrew.prince
Level 10
Level 10

The remote end needs "management access inside" configured, if you want to access from over the VPN.

Sent from Cisco Technical Support iPad App

Hi Andrew,

thanks for your answer.

The "management-access inside" statement is used.

Perhaps the statement only works without nat?

Check you are not double natting it, so once you have performed the desintation nat - the resulting new IP must be part of the no-nat before it is encrypted.

Hello Andrew,

I´m not sure what you mean.

There are no AccessList that could block the traffic. Log shows only the Tearup/Teardown.

Service-PAT:   192.168.255.1/32

Transit-Net :   10.0.5.0/27

D-NAT2      :   10.0.5.2/32

ASA-Local :   172.16.128.71/24

access-list outside_1_cryptomap extended permit ip object Transit-Net object Service-PAT

access-list outside_1_cryptomap extended permit ip object Service-PAT any

access-list outside_1_cryptomap extended permit ip object Service-PAT interface inside

nat (any,any) source static Service-PAT Service-Pat destination static D-NAT2 ASA-Local unidirectional

management-access inside

ssh 192.168.255.1 255.255.255.255 inside

telnet 192.168.255.1 255.255.255.255 inside

Besides the destination nat, there is only the default Pat to the outside

nat (any,outside) source dynamic any interface

After the NAT is done, the Asa should only see a packet from 192.168.255.1 to its local interface.

ACL and management rules doesnt deny this.

Could you please explain your comment about the double natting and no-nat?

Is there a mistake in the NAT statements?

Thanks for your help!

If the remote end is say 1.1.1.1 but I need to nat that to 2.2.2.2 and use that to connect to, then it gets encrypted, then

1) I need to nat 1.1.1.1 to 2.2.2.2

2) I need to define the interesting VPN traffic destination as 2.2.2.2

3) as I have general NAT in place, and the VPN endpoint is out the outside interface, I need to make sure that I do not nat it again, before it leaves the interface for encryption so "access-list no-nat permit x.x.x.x x.x.x.x host 2.2.2.2"

4) 2.2.2.2 as a desitnation must no

Rememer the flow is NAT>Route>Encrypt.  Use your favorite search engine and look for "identity nat" and "double nat"

I´m sure the Nat is ok. It works fine when the sessions are build up through the ASA, the connection  into the ASA doesn´t work with any tested nat statement.

I was wrong when i said that the log only show´s the normal NAT Sessions - the Teardown shows allways "flow terminated by tcp intercept"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: