Cyclops3590
asked on
ASA 5510 - Config NAT on VPN
Here is my situation. My company recently purchased out a division of another company. We have to maintain a link to the old company so that the purchased divisions can maintain communicating to their Oracle instance and keep operating. I have been able to move a lot of traffic from the old company's network and so our network now looks like at the site I am working on.
Internet <--> [Public IP] ASA5510[10.27.130.2] <--> 2501Router
[10.27.130.3]
^
|
Old company <--> 2812 Router[10.27.130.1] <--> LAN [10.27.130.0/24]
The 2501 router is a temporary router that acts as the default gateway for the LAN. this router just says that for the IP ranges for the old company and Oracle go to the 2812 router, otherwise go to the ASA.
I have remote VPN configured and working on the ASA (I am using the 10.27.230.0/24 range for those clients. Can ping inside hosts, etc. Now when I try to ping the oracle server I am willing to bet that the packet is reaching the server, however of course on the return trip thru the old company's network, they have no clue where the 10.27.230.0/24 network is or they have one already and are routing it a different way.
What I want to do is for certain IP ranges (we'll use 172.16.5.0/24 and 192.168.100.0/24 for examples) when the VPN clients want to communicate with those IP ranges, that there is a PAT done to the 10.27.230.0/24 VPN client to perferably the 10.27.130.2 inside interface of the ASA or to another IP on the LAN that the ASA can proxy for.
I obviously have no control over the 2812 router and beyond due to it being owned and operated by the other company.
I don't know if it is possible, but what I was thinking was this
nat (outside) 5 10.27.230.0 255.255.255.0
global (inside) 5 10.27.130.100
not sure if that even makes sense, but any help is greatly appreciated.
Internet <--> [Public IP] ASA5510[10.27.130.2] <--> 2501Router
[10.27.130.3]
^
|
Old company <--> 2812 Router[10.27.130.1] <--> LAN [10.27.130.0/24]
The 2501 router is a temporary router that acts as the default gateway for the LAN. this router just says that for the IP ranges for the old company and Oracle go to the 2812 router, otherwise go to the ASA.
I have remote VPN configured and working on the ASA (I am using the 10.27.230.0/24 range for those clients. Can ping inside hosts, etc. Now when I try to ping the oracle server I am willing to bet that the packet is reaching the server, however of course on the return trip thru the old company's network, they have no clue where the 10.27.230.0/24 network is or they have one already and are routing it a different way.
What I want to do is for certain IP ranges (we'll use 172.16.5.0/24 and 192.168.100.0/24 for examples) when the VPN clients want to communicate with those IP ranges, that there is a PAT done to the 10.27.230.0/24 VPN client to perferably the 10.27.130.2 inside interface of the ASA or to another IP on the LAN that the ASA can proxy for.
I obviously have no control over the 2812 router and beyond due to it being owned and operated by the other company.
I don't know if it is possible, but what I was thinking was this
nat (outside) 5 10.27.230.0 255.255.255.0
global (inside) 5 10.27.130.100
not sure if that even makes sense, but any help is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks will try this out; however I may not get back to you until Monday. (Taking thurs and fri off so I have to get a ton of other items done before i go)
ASKER
one more thing. i read the other thread and just wanted to rephrase one item to make sure I understood the outside_nat access-list. with that access-list applied it is basically saying that traffic coming in the outside interface being examined for nonat should ignore traffic going from vpn clients to the old company(since that traffic needs to be handled by a nat entry that will be processed later) but do look at everything else (which means do not nat the traffic). This is because there would already be static entries or global(outside)/nat(inside ) or existing xlate entries to take care of any nat translations that would need to occur, correct?
Yes, pretty much.
ASKER
Thanks. Also, I'm scheduled to try this change Monday after work so I make sure not to affect day operations.
ASKER
I apologize for not posting an update. I got busy with something else and completely forgot to come back to this.
You can add option 2 to the workable list. I tried it and it worked on the first try with no problems arising.
Thanks much
You can add option 2 to the workable list. I tried it and it worked on the first try with no problems arising.
Thanks much
ASKER