Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT AnyConnect client traffic to Internal network

Hello all.

Hope anyone can help with this. I've been scratching my head on how I can get NAT for AnyConnect IP addresses to work but still seem to be failing.

I've got a setup where an ASA has one connection for its Outside network and has two connections to two separate Internal networks. Due to some routing limitations, I need to NAT the souce address for AnyConnect users when they are trying to access one of the Internal networks.

I've been unable to find any similar instance where this has been set up. With the NAT entry that I added for this using the Outside as the source and Internal2 as the destination, the show nat command showed  translated_hits for the traffic sent but no untranslated_hits which I presume would be hit for the return traffic.

Is there a way to NAT AnyConnect traffic when it enters and exits the ASA?

Also, am I correct in thinking that the AnyConnect client traffic would be being sourced from the Outside interface?

Thanks

Michael

5 REPLIES
Cisco Employee

NAT AnyConnect client traffic to Internal network

Michael,

What version of ASA code do you have, and what NAT statement are you using?  This sounds like it should be possible, and you are correct that the anyconnect traffic would be sourced from the Outside interface, if that's where the VPN is terminated.

--Jason

New Member

Re: NAT AnyConnect client traffic to Internal network

Hi Jason

Thanks for that info. The outside interface is the one used to terminate the VPN. The ASA code version I'm using is

8.3(2)4.

The NAT rule being used for this is:

nat (outside,INSIDE-10) source dynamic NETWORK-10.58.1.0 NAT-10.10.0.250 destination static NETWORK-10.10.0.0-16 NETWORK-10.10.0.0-16

object network NETWORK-10.10.0.0-16

subnet 10.10.0.0 255.255.0.0

object network NAT-10.10.0.250

host 10.10.0.250

object network NETWORK-10.58.1.0

subnet 10.58.1.0 255.255.255.0

The topology for this looks something like this:

ASA----(10.10.0.0 /24)----Router----(rest of 10.10.0.0 /16 network)

The AnyConnect clients have client IP addresses in the 10.58.1.0 /24 range. It connects to an Internal segment with the range 10.10.0.0 /24. The clients need to access the rest of the 10.10.0.0 /16 network which cannot route directly to the 10.58.1.0 /24 network.

Cheers

Michael

NAT AnyConnect client traffic to Internal network

Hi Michael,

You need policy nat to source AnyConnect IP segment to one of the available IP address of internal-segment to secondary internal-segment and your no-nat between secondary internal-segment and allocated available IP address of primary internal-segment.

I hope that make sense.

thanks

New Member

NAT AnyConnect client traffic to Internal network

Hi Rizwan

So does that mean that as well as the NAT rule for the (outside, inside), I'll need a no-nat rule for the (inside, outside)?

Cheers

Michael

NAT AnyConnect client traffic to Internal network

Please post your running config, I will compile it for you.

736
Views
0
Helpful
5
Replies
CreatePlease to create content