Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
506
Views
0
Helpful
1
Replies

IPSEC PAT overlapping with Internet PAT

ahmad82pkn
Level 2
Level 2

‎02-17-2012 03:43 PM - edited ‎02-21-2020 05:53 PM

Hi,

i have a cisco ASA on which my company internet is running.

nat (INSIDE) 1 access-list NAT

global (OUTSIDE) 1 44.4.4.4

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

now i have to configured IPSEC VPN on same ASA

over the VPN i have to access destination IP 7.7.7.7 from source IP 10.x.x.x

so i made

nat (INSIDE) 2 access-list SONI

global (OUTSIDE) 2 44.4.4.5

access-list SONI extended permit ip 10.0.0.0 255.0.0.0 host 7.7.7.7

Now what happening is, my traffic is getting PAT to 44.4.4.4 and going to internet, instead of patting to 44.4.4.5 and going to IPSEC TUNNEL.

so tunnel not establishing.

how can i force second GLOBAL to activate for my VPN destination 7.7.7.7  and PAT to 44.4.4.5 when i access the destination from my PC on 10.x.x.x

One solution i can think of is SWAP the sequence numbers of NAT and GLOBAL.

like make my internet NAT on SEQ 2 and my specific IPSEC SEQ on SEQ1

nat (INSIDE) 2 access-list NAT

global (OUTSIDE) 2 44.4.4.4

nat (INSIDE) 1 access-list SONI

global (OUTSIDE) 1 44.4.4.5

what other options i have? i dont want to bust internet traffic, so want some other seamless option.

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎02-20-2012 10:35 AM

Try and change the acl from:

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

to

access-list extended NAT deny ip 10.0.0.0 255.0.0.0 host 7.7.7.7

access-list extended NAT permit ip 10.0.0.0 255.0.0.0 any

0 Helpful
Customers Also Viewed These Support Documents