Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Multiple NAT (DMZ) 0 Access list statement

Hello,

Im having i problem with remote VPNs. The scenario is this:

I have i few clients that connect remotly via VPN. Untill today only one of them needed access to enter to my DMZ. But now i want another one with different profile (cause is a new client) to access to one of my server in the DMZ.

So i declared all the VPN setting, the ACL but when i want to declare the nat (dmz) 2 access-list newclient it doesnt work. But if i declare the nat (dmz) 0 access-list newclient it work BUT it delete the previous nat 0 that my other client have. There is a way to create multiple nat (dmz) 0 access-list statement ?. If not, how could i resolve this problem ?

This is my config:

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnlati extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

access-list vpnlati extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.50

ip local pool ippool 192.168.125.10-192.168.125.254
global (outside) 1 interface
global (outside) 2 200.32.97.254
nat (outside) 1 192.168.125.0 255.255.255.0
nat (inside) 0 access-list vpnas
nat (inside) 2 access-list ACL-NAT-LIM
nat (inside) 3 access-list vpnwip
nat (inside) 4 access-list vpnashi
nat (inside) 5 access-list vpnlati
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wifi) 2 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list vpnashi
nat (dmz) 1 192.168.16.0 255.255.255.0
nat (dmz) 2 access-list vpnlati
group-policy RA-ASHI internal
group-policy RA-ASHI attributes
dns-server value 172.16.1.100
vpn-idle-timeout 30
vpn-filter value vpnashi
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
group-policy RA-LATI internal
group-policy RA-LATI attributes
dns-server value 172.16.1.100
vpn-idle-timeout 30
vpn-filter value vpnlati
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
tunnel-group RA-ASHI type remote-access
tunnel-group RA-ASHI general-attributes
address-pool ippool
authentication-server-group (outside) partnerauth
default-group-policy RA-ASHI
tunnel-group RA-ASHI ipsec-attributes
pre-shared-key *
tunnel-group RA-LATI type remote-access
tunnel-group RA-LATI general-attributes
address-pool ippool
authentication-server-group (outside) partnerauth
default-group-policy RA-LATI
tunnel-group RA-LATI ipsec-attributes
pre-shared-key *

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Multiple NAT (DMZ) 0 Access list statement


andre,

You can only have one NAT exempt access-list per interface (nat 0 rule).  I understand what you are trying to accomplish.  You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.

What I do is this:

Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).

Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.

It is ok to have multiple statements inside of a NAT exempt access-list.  Doing so will not allow one VPN client to have access to things it shouldn't.

For example:

access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

nat (dmz) 0 access-list nonat-dmz

Cisco Employee

Re: Multiple NAT (DMZ) 0 Access list statement

hi andre,

i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling

do one thing

keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling

now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need

here are the acl's you need

nonat_dmz

access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

no nat (dmz) 0 access-list vpnashi

nat (dmz) 0 access-list nonat_dmz

this should fix the issue at hand

6 REPLIES

Re: Multiple NAT (DMZ) 0 Access list statement

What is your access-list for your 'newclient'? What is the IP Space?


If I understand what you want to do correctly, you can just do the following.

Add more ACEs to your ACL vpnashi which is the current nat 0 access-list for the DMZ interface.

So, add the following bold configuration to your existing access-list.  Replace the red x.x.x.x with the new VPN subnet and replace y.y.y.y with the subnet mask of that subnet.

access-list vpnashi extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list vpnashi extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

access-list vpnashi extended permit ip host 192.168.16.28 x.x.x.x y.y.y.y

access-list vpnashi extended permit ip x.x.x.x y.y.y.y host 192.168.16.28

New Member

Re: Multiple NAT (DMZ) 0 Access list statement

jjohnston,

the newclient is vpnlati . vpnashi is another client and is working perfect but i dont want to create new ACEs under that one cause is a different client and i want to create differents profiles for Cisco remote VPNs.

if i put in the config:

nat (dmz) 0 access-list vpnlati  it start to work perfect but the vpnashi dessapear.

That why my question is if there is a way to add multiples nat (dmz) 0 access-list

or how could i resolve this issue.

Regards.

Amir

Re: Multiple NAT (DMZ) 0 Access list statement


andre,

You can only have one NAT exempt access-list per interface (nat 0 rule).  I understand what you are trying to accomplish.  You are using the access-list vpnashi and vpnlati to control access to devices for different clients through VPN group policies.

What I do is this:

Create an ACL for the VPN client (which you have, with vpnashi and vpnlati)
Create an ACL for NAT exemption for the interface (nonat-inside, nonat-dmz, etc.).

Create ACEs inside the NAT exempt ACL that matches your VPN client access-list.

It is ok to have multiple statements inside of a NAT exempt access-list.  Doing so will not allow one VPN client to have access to things it shouldn't.

For example:

access-list nonat-dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat-dmz extended permit ip 192.168.125.0 255.255.255.0 host 192.168.16.28

nat (dmz) 0 access-list nonat-dmz

Cisco Employee

Re: Multiple NAT (DMZ) 0 Access list statement

hi andre,

i understand your concerns here, the prob here is you are using the same acl for nat exempt and split tunneling

do one thing

keep the vpn-aashi and vpn-lati acl as it is, since you are using it for split tunneling

now make a new access-list nonat_dmz and include internal network to vpn pool ip this will let you achive what you need

here are the acl's you need

nonat_dmz

access-list nonat_dmz extended permit ip host 192.168.16.28 192.168.125.0 255.255.255.0

access-list nonat_dmz extended permit ip host 192.168.16.50 192.168.125.0 255.255.255.0

no nat (dmz) 0 access-list vpnashi

nat (dmz) 0 access-list nonat_dmz

this should fix the issue at hand

New Member

Re: Multiple NAT (DMZ) 0 Access list statement

Thank you so much guys !!!. I create the nonat ACL and it work perfect

Cisco Employee

Re: Multiple NAT (DMZ) 0 Access list statement

Glad it worked tc

1532
Views
0
Helpful
6
Replies
CreatePlease to create content