Hope anyone can help with this. I've been scratching my head on how I can get NAT for AnyConnect IP addresses to work but still seem to be failing.
I've got a setup where an ASA has one connection for its Outside network and has two connections to two separate Internal networks. Due to some routing limitations, I need to NAT the souce address for AnyConnect users when they are trying to access one of the Internal networks.
I've been unable to find any similar instance where this has been set up. With the NAT entry that I added for this using the Outside as the source and Internal2 as the destination, the show nat command showed translated_hits for the traffic sent but no untranslated_hits which I presume would be hit for the return traffic.
Is there a way to NAT AnyConnect traffic when it enters and exits the ASA?
Also, am I correct in thinking that the AnyConnect client traffic would be being sourced from the Outside interface?
What version of ASA code do you have, and what NAT statement are you using? This sounds like it should be possible, and you are correct that the anyconnect traffic would be sourced from the Outside interface, if that's where the VPN is terminated.
ASA----(10.10.0.0 /24)----Router----(rest of 10.10.0.0 /16 network)
The AnyConnect clients have client IP addresses in the 10.58.1.0 /24 range. It connects to an Internal segment with the range 10.10.0.0 /24. The clients need to access the rest of the 10.10.0.0 /16 network which cannot route directly to the 10.58.1.0 /24 network.
You need policy nat to source AnyConnect IP segment to one of the available IP address of internal-segment to secondary internal-segment and your no-nat between secondary internal-segment and allocated available IP address of primary internal-segment.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :