Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
0
Helpful
5
Replies

Cisco remote VPN NAT issue

jibsoni
Level 1
Level 1

‎05-20-2012 06:22 AM - edited ‎03-11-2019 04:09 PM

Dear all,

I am facing an issue , which needs your valuable support.

As per the  attached diagram , remote users are getting ip address 192.168.2.x , internal IP = 192.168.1.x , DMZ ip = 172.16.1.x and 10.0.0.x network is accessed via router connected on DMZ in which i dont have control.

My issue is that remote users want to access 10.0.0.x network but they can't , at the same time they can access DMZ and internal network.

I have tried no NAT as below and i removed first line of ACL as well, but the result is same

access-list 160 permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0

access-list 160 permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (dmz) 0 access-list 160

i wish to try NATing 192.168.2.x  traffic using a DMZ IP addess when packets are destined to 10.0.0.x.

can some one suggest me on how to proceed ?

Labels:
Preview file
19 KB
0 Helpful
5 Replies 5

ju_mobile
Level 1
Level 1

‎05-20-2012 02:44 PM

Hi,

You need to look at a dynamic policy NAT and nating the VPN users to either the DMZ interface or an address within DMZ range which is dedicated to that purpose.

Sent from Cisco Technical Support iPad App

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-20-2012 03:25 PM

Hello,

You could do a :

NAT (outside) 1 192.168.2.0 netmask 255.255.255.0 outside

global (dmz) 1 172.16.1.x

Can you do a packet-tracer and show us the result of that, this will lead us to a nat or something else issue.

The No_Nat configuration is perfect.

Regards,

Julio

DO rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jibsoni
Level 1
Level 1

‎05-21-2012 07:08 AM

i have attached packet tracer output and the firewall config , kindly look in to that .

128401-packet tracer output.txt.zip
0 Helpful

jibsoni
Level 1
Level 1
In response to jibsoni

‎05-26-2012 07:18 AM

Hi all ,

As jcarvaja sujested i have tried the NAT config but no luck.

Please provide me a solution .

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jibsoni

‎05-26-2012 02:30 PM

Hello,

Here is what I want you to do now:

access-list test permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0

nat (outside) 10 access-list test outside

global (dmz) 10 interface

Regards,

Let me know the result.

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card