Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

natting vpn traffic

I about have my vpn set up exactly like I need it.  Users can connect to the vpn, and get a 172.16.17.0/24 ip address.  These users can then access machines hidden behind the asa on the private 172.16.16.1/24 interface.  Users on the 172.16.16.1 interface can also access any machine not on the private interface through the router using nat.  What I cannot figure out how to do is to allow the vpn users to also access any machine not on the private interface through NAT on the router as well. Help would be appreciated.

ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0

C    172.16.16.0 255.255.254.0 is directly connected, igbprivate
S    172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C    a.b.c.0 255.255.252.0 is directly connected, igbpublic
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic

access list

access-list 101 line 1 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

nat statements in running-config

global (igbpublic) 1 interface
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: natting vpn traffic

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

8 REPLIES
New Member

Re: natting vpn traffic

I think what you are saying you want is for one VPN user to be able to access another VPN user. If that is the case then you would want to look into Hairpining. I believe this will work for you, but seeing as I am struggling with getting it to work myself I cannot help you. If you google it you may find something that will lead you in the right direction.

New Member

Re: natting vpn traffic

Nope, not that.  I have other machines that sit on the public side of this asa, and I would like to have the 172.16.17.0/24 addresses of the vpn clients to  be able to access these through nat.

New Member

Re: natting vpn traffic

Are they physically on the other side of the ASA or are you just trying to access the Public names of machines actually located on the internal network?

New Member

Re: natting vpn traffic

I physically have machines on the public side of the asa, and the vpn users need to be able to send and receive traffic to/from them, i dont want to run a second cable to them for the private network.

Dan

New Member

Re: natting vpn traffic

If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.

New Member

Re: natting vpn traffic

This comment along with:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

was enough to get me going.  Essentially i needed the two commands:

same-security-traffic permit intra-interface

nat (igbpublic) 1 172.16.17.0 255.255.255.0

then it roared to life.  Thanks for the help.

Dan

New Member

Re: natting vpn traffic

No Problem, glad I could help.

New Member

Re: natting vpn traffic

I thought you would like to know between your commands and the link you posted I was finally able to wrap my head around what was supposed to happen. Then with a little more fiddling I was able to adapt that to 8.3. Thanks for posting a detailed resolution.

249
Views
0
Helpful
8
Replies
CreatePlease login to create content