09-01-2010 09:44 AM
Hello,
I have situation wher all the traffic to the DMZ is PATd and now works as long as users are on Inside lan. Now we want have users connectiong to RA VPN which Terminates on the Same firewall outside interface access the DMZ.
At present we have
NAT(Inside) 100 1.1.1.1
Global (DMZ1) 100 10.10.10.10 and this works fine.
now we want users on RA VPN IP range 11.11.11.1x connect to DMZ Hosts.
At present we have Global (Outside) 1 2.2.2.2
what is the best way to allow access 11.11.11.1x range to DMZ1 with all these traffic PATd to 10,10.10.10.
will NAT (Outside) 100 11.11.11.1x work?
We are running IOS 7.2.3 on CIsoc ASA
Thanks and regards,
Venky
09-01-2010 09:50 AM
Hi,
The DMZ is 10.10.10.x
To allow RA VPN clients to connect to the DMZ network you can do the following:
access-list nonat_DMZ permit ip 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0
nat (DMZ) 0 access-list nonat_DMZ
In this way, traffic from the VPN clients (11.11.11.x) can access the DMZ (10.10.10.x) without NAT.
And you forget about the nat (outside)...
Note:
You should include the DMZ network in the split-tunneling for the VPN clients (in case using split-tunneling)
Federico.
09-01-2010 11:24 PM
Hi Federico,
Thanks! for the response.
But, if I do NAT 0, VPN Clients IP 11.11.11.x doesnot get PATd to 10.10.10.10. I want to achive NAT for all the Traffic from RA VPN CLient to Global (DMZ1) 100 10.10.10.10
Regards,
Venky
09-02-2010 05:54 AM
Hello Venky,
What Federico suggested is correct in that it will allow DMZ traffic to VPN
clients. If you wish to NAT VPN clients also to 10.10.10.10, then do the
following in addition to what Federico suggested:
Nat (inside) 100 11.11.11.0 255.255.255.0
Since VPN traffic is treated as internal traffic, you apply the rule to
inside interface.
Hope this helps.
Regards,
NT
09-02-2010 09:00 AM
Hi,
I tried NAT on Inside Interface and did not help. We dont have nat-control enabled and dont think NAT 0 makes much differece on the DMZ interface. Also, the traffic is intiated from the VPN Client range and not from the DMZ.
Regards,
Venky
09-02-2010 11:09 AM
Hello,
Did you configure both of the below lines:
Nat (inside) 100 11.11.11.0 255.255.255.0
Nat (DMZ) 0 access-list "acl name"
The first line is needed if you want to use the DMZ interface IP when
communicating with the DMZ servers. Alternatively, you can use the VPN
client IP itself and not worry about the NAT. Please make sure that the DMZ
servers know how to reach 11.11.11.0 subnet (the default gateway should
point to the ASA or the current default gateway should have a route to
11.11.11.0 pointing to the ASA).
The second line is responsible for the return traffic from DMZ to the VPN
clients. Since (I am assuming) you are accessing the DMZ devices with their
own IP address, when the return traffic hits the ASA, we want the ASA to
bypass the outside interface NAT rules. The second line will ensure of that
part.
Hope this helps.
Regards,
NT
09-02-2010 07:28 AM
Hi Venky,
As mentioned in your original post, all that you will need is a "nat (outside) 100 11.11.11.x 255.255.255.0 outside". The outside keyword at the end is necessary for the NAT to work. You do not need to do NAT exemption. In fact if you have the "nat (dmz) 0 ACL" and the above command, it will cause a conflict and ttraffic will not pass.
Let me know how it goes.
Thanks and Regards,
Prapanch
09-02-2010 09:03 AM
Hi Prapanch,
I have tried this and when we do the NAT works and the traffic from Inside to Intenret fails for some reason.
Regards,
Venky.
09-02-2010 09:48 AM
Hi Venky,
I have seen the same bejavior before where enabling outside NAT breaks internet access for inside users. I will suggest you to upgrade your ASA to a more recent code as i see you are running 7.2(3) right now.. maybe to the latest release in 8.0 or 8.2 trail.. It might help us as there are many bug fixes in these releases as compared to the 7.2 trail..
Let me know if this helps!!
Thanks and Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: