VPN user can't access Site-to-Site IPsec tunnel because of NAT
Hey everyone (IP addresses have been changed to protect the innocent),
we have a site-to-site tunnel setup for a SaaS. The tunnel works by NATing our outgoing IP address to one owned by the SaaS company.
User sits at 192.168.3.200. If they go to the internet, they get NATed with an outbound address of 22.214.171.124. If they need to access the SaaS application at 126.96.36.199, they are given a NATed address of 188.8.131.52
The problem is happening at the VPN user. A VPN user will log in (192.168.5.10), Split Tunneling is setup correctly so they can access the site, same-security-traffic permit intra-interface has been configured on the ASA, and the Dynamic Policy for NAT has been setup for 192.168.0.0/16 for the 184.108.40.206 network.
When I read the debugging log viewer, I can see that internal clients (192.168.3.200) get:
Built outbound TCP connection 34563 for outside:220.127.116.11/80 (18.104.22.168/80) to inside:192.168.3.200/4500 (22.214.171.124/52287)
When a VPN user logs on and tries to access the site I get:
Built inbound TCP connection38524 for outside:192.168.5.10/3574 (192.168.5.10/3573) to outside:126.96.36.199/80 (188.8.131.52/80) username
How can I get the VPN user to get the NATed address to access the SaaS?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :