Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC PAT overlapping with Internet PAT

Hi,

i have a cisco ASA on which my company internet is running.

nat (INSIDE) 1 access-list NAT

global (OUTSIDE) 1 44.4.4.4

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

now i have to configured IPSEC VPN on same ASA

over the VPN i have to access destination IP 7.7.7.7 from source IP 10.x.x.x

so i made

nat (INSIDE) 2 access-list SONI

global (OUTSIDE) 2 44.4.4.5

access-list SONI extended permit ip 10.0.0.0 255.0.0.0 host 7.7.7.7

Now what happening is, my traffic is getting PAT to 44.4.4.4 and going to internet, instead of patting to 44.4.4.5 and going to IPSEC TUNNEL.

so tunnel not establishing.

how can i force second GLOBAL to activate for my VPN destination 7.7.7.7  and PAT to 44.4.4.5 when i access the destination from my PC on 10.x.x.x

One solution i can think of is SWAP the sequence numbers of NAT and GLOBAL.

like make my internet NAT on SEQ 2 and my specific IPSEC SEQ on SEQ1

nat (INSIDE) 2 access-list NAT

global (OUTSIDE) 2 44.4.4.4

nat (INSIDE) 1 access-list SONI

global (OUTSIDE) 1 44.4.4.5

what other options i have? i dont want to bust internet traffic, so want some other seamless option.

1 REPLY

IPSEC PAT overlapping with Internet PAT

Try and change the acl from:

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

to

access-list extended NAT deny ip 10.0.0.0 255.0.0.0 host 7.7.7.7

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

285
Views
0
Helpful
1
Replies
CreatePlease login to create content