Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN user can't access Site-to-Site IPsec tunnel because of NAT

Hey everyone (IP addresses have been changed to protect the innocent),

we have a site-to-site tunnel setup for a SaaS. The tunnel works by NATing our outgoing IP address to one owned by the SaaS company.

example:

User sits at 192.168.3.200. If they go to the internet, they get NATed with an outbound address of 74.54.8.8. If they need to access the SaaS application at 130.249.37.84, they are given a NATed address of 186.126.124.32

The problem is happening at the VPN user. A VPN user will log in (192.168.5.10), Split Tunneling is setup correctly so they can access the site,  same-security-traffic permit intra-interface has been configured on the ASA, and the Dynamic Policy for NAT has been setup for 192.168.0.0/16 for the 130.249.37.84 network.

When I read the debugging log viewer, I can see that internal clients (192.168.3.200) get:

Built outbound TCP connection 34563 for outside:130.249.37.84/80 (130.249.37.84/80) to inside:192.168.3.200/4500 (186.126.124.32/52287)

When a VPN user logs on and tries to access the site I get:

Built inbound TCP connection38524 for outside:192.168.5.10/3574 (192.168.5.10/3573) to outside:130.249.37.84/80 (130.249.37.84/80) username

How can I get the VPN user to get the NATed address to access the SaaS?

Thanks!

2 REPLIES
New Member

Re: VPN user can't access Site-to-Site IPsec tunnel because of N

Can you upload the config?

New Member

Re: VPN user can't access Site-to-Site IPsec tunnel because of N

here ya go. alot of this is taken care of in ASDM so prepare for a mess. all IP addresses have been changed to match the ones in the thread.

thanks!

250
Views
0
Helpful
2
Replies
CreatePlease to create content