Basic NAT from outside remote-access IPSec VPN to inside
This is a simple problem, yet I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network. I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y. HTTPS/443 connectivity. I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.
The Cisco tech entered the following static NAT statement to "fix" the problem -
For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface. At that point, nothing talks.
The y.y.y.y is on a remote, routed network within my private, corporate MPLS network. My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x. Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.
I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.
The NAT statement above will break my network. Anyone have any suggestions on how to NAT this connection without killing my Inside network? Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool. Thanks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...