Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN NAT to Remote site issue

Hey everyone,

I am experencing an issue where some of the devices at a remote site have a different default gateway other then the firewall (at the remote site). This prevents pings from the local network to those remote site devices. Does anyone have any suggestions for changes to the remote firewall that could resolve this issue?

thanks                      

Everyone's tags (3)
5 REPLIES
VIP Purple

Re: VPN NAT to Remote site issue

The changes don't have to be done on the VPN-firewall. There are two simple ways (and one better but more complex way) to solve that:

1) On the DG of the remote site, add a dedicated route to your local network pointing to the LAN-address of the remote firewall.
2) Add static routes on the end-devices that have a default-gateway that is not the ASA.

3) Connect your users to a L3-switch. There you have transfer-links to the original DG and the firewall. Now the L3-switch hanldes all routing (dedicated route to the VPN-gateway and default-route to the the actual gateway.

And for completeness (but worst way to do that) also a configuration that is done on the firewall:
NAT the traffic that leaves the VPN to a local LAN address on the remote site. With that the remote PCs see all VPN traffic as local and don't use the DG.


Sent from Cisco Technical Support iPad App

New Member

VPN NAT to Remote site issue

Thanks for the reply

one last question, when you say to "NAT the traffic that leaves the VPN to a local LAN address on the remote site" would that be on the remote firewall or the local firewall?

VIP Purple

VPN NAT to Remote site issue

That had to be done on the remote firewall. But before thinking about that try the other solutions!

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

VPN NAT to Remote site issue

I dont think I could do the others, but I will try.

If I end up having to NAT the traffic on the remote site does anyone have an example of the configuration?

VIP Purple

VPN NAT to Remote site issue

The needed configuration would be highly dependent on your ASA-version, the config you are running and what exactly you want to achieve. Perhaps it's best to open a new thread for that if you can't fix it by other solutions.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

186
Views
0
Helpful
5
Replies
CreatePlease to create content