Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

conditional NAT to subinterface which is peer for site to site

Hi all

Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..

RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought

Do a conditional NAT for 172.5.x.0 network to subinterface ip by adding following. Subinterface has security level of 3, and outside has 0.

access-list 101 permit ip 172.5.x.0 255.255.255.0 <remote LAN> <remote mask>

nat (inside) 10 access-list 101

global (subinterface) 10 interface

And I get

WARNING: Binding inside nat statement to outermost interface.

WARNING: Keyword "outside" is probably missing.

Should I type

nat (outside) 5 172.5.x.0 255.255.255.0 outside

Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.

I used packet-trace and watched a packet from 172.5.x to remote lan but it does not walk through my conditional NAT. It first goes through the route

route subinterface remotelan remotemask subintgateway

then instead walking through condit NAT, it walks through outside route and I get

6 Oct 19 2007 19:49:01 109025 172.5.x.88 x.175.x.193 Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP

Any help is much appreciated

I dont want permit same security traffic

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: conditional NAT to subinterface which is peer for site to si

You should first try command "nat (outside) 5 172.5.x.0 255.255.255.0 outside" and if this is not working then you can change the security level of outside to 1 and subinterface to 0. Other workaround could be to configure hairpinning on the ASA.

1 REPLY
Silver

Re: conditional NAT to subinterface which is peer for site to si

You should first try command "nat (outside) 5 172.5.x.0 255.255.255.0 outside" and if this is not working then you can change the security level of outside to 1 and subinterface to 0. Other workaround could be to configure hairpinning on the ASA.

126
Views
0
Helpful
1
Replies
CreatePlease to create content