Alan Huseyin Kayahan
asked on
PAT to subinterface which is peer for site to site
Hi all
I will move onsite in a few days and I just need the picture/key idea at the moment. Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..
RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought
Do a many-to-one NAT (PAT) for 172.5.x.0 network to subinterface ip by adding following in my test firewall. Subinterface has security level of 3, and outside has 0.
nat (outside) 5 172.5.x.0 255.255.255.0
global (subinterface) 5 interface
And I get
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Should I type
nat (outside) 5 172.5.x.0 255.255.255.0 outside
Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.
Regards
I will move onsite in a few days and I just need the picture/key idea at the moment. Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..
RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought
Do a many-to-one NAT (PAT) for 172.5.x.0 network to subinterface ip by adding following in my test firewall. Subinterface has security level of 3, and outside has 0.
nat (outside) 5 172.5.x.0 255.255.255.0
global (subinterface) 5 interface
And I get
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Should I type
nat (outside) 5 172.5.x.0 255.255.255.0 outside
Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
x.175.x.193 is listed on the Route details of VPN client in 172.5.x.88. And When I try to browse it, I get the following in syslog
when I do it as you say, I get
6 Oct 19 2007 20:19:56 302014 172.5.x.88 x.175.x.193 Teardown TCP connection 140221 for outside: 172.5.x.88/1913 to outside: x.175.x.193/80 duration 0:00:00 bytes 0 Flow is a loopback (testbayi)
with
nat (outside) 10 access-list 101
6 Oct 19 2007 19:49:01 109025 172.5.x.88 x.175.x.193 Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP
when I do it as you say, I get
6 Oct 19 2007 20:19:56 302014 172.5.x.88 x.175.x.193 Teardown TCP connection 140221 for outside: 172.5.x.88/1913 to outside: x.175.x.193/80 duration 0:00:00 bytes 0 Flow is a loopback (testbayi)
with
nat (outside) 10 access-list 101
6 Oct 19 2007 19:49:01 109025 172.5.x.88 x.175.x.193 Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP
ASKER
also tried
nat (inside) 10 access-list 101 outside
global (subinterface) 10 interface
I didnt get the following error when entered as above
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
bu still Authorization denied. In SCSVPN01_restrict, related traffic is permited
nat (inside) 10 access-list 101 outside
global (subinterface) 10 interface
I didnt get the following error when entered as above
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
bu still Authorization denied. In SCSVPN01_restrict, related traffic is permited
ASKER
Hi Les
I used packet-tracer to watch the packet passthrough
Packet from 172.5.x.5 (RA vpn client on outside) to x.175.x.193 (l2l on subint)
The packet does not walk through our NAT statement neither yours nor mine. This must be the cause of auth denied because it tries to go through outside not subinterface. The strange thing is, packet flows through subint first,
route subint x.175.x.193 255.255.255.255 subintgateway
bt then smehow it uses the default outside route instead walking through our NAT
what the cause can be?
I used packet-tracer to watch the packet passthrough
Packet from 172.5.x.5 (RA vpn client on outside) to x.175.x.193 (l2l on subint)
The packet does not walk through our NAT statement neither yours nor mine. This must be the cause of auth denied because it tries to go through outside not subinterface. The strange thing is, packet flows through subint first,
route subint x.175.x.193 255.255.255.255 subintgateway
bt then smehow it uses the default outside route instead walking through our NAT
what the cause can be?
ASKER
but VPN clients are on outside int,
shouldnt it be
nat (outside) 10 access-list 101
?