Link to home
Start Free TrialLog in
Avatar of Cyclops3590
Cyclops3590Flag for United States of America

asked on

ASA 5510 - Config NAT on VPN

Here is my situation.  My company recently purchased out a division of another company.  We have to maintain a link to the old company so that the purchased divisions can maintain communicating to their Oracle instance and keep operating.  I have been able to move a lot of traffic from the old company's network and so our network now looks like at the site I am working on.

Internet <--> [Public IP] ASA5510[10.27.130.2] <--> 2501Router
                                                                                      [10.27.130.3]
                                                                                           ^
                                                                                            |
 Old company <--> 2812 Router[10.27.130.1] <--> LAN [10.27.130.0/24]

The 2501 router is a temporary router that acts as the default gateway for the LAN.  this router just says that for the IP ranges for the old company and Oracle go to the 2812 router, otherwise go to the ASA.

I have remote VPN configured and working on the ASA (I am using the 10.27.230.0/24 range for those clients.  Can ping inside hosts, etc.  Now when I try to ping the oracle server I am willing to bet that the packet is reaching the server, however of course on the return trip thru the old company's network, they have no clue where the 10.27.230.0/24 network is or they have one already and are routing it a different way.  

What I want to do is for certain IP ranges (we'll use 172.16.5.0/24 and 192.168.100.0/24 for examples) when the VPN clients want to communicate with those IP ranges, that there is a PAT done to the 10.27.230.0/24 VPN client to perferably the 10.27.130.2 inside interface of the ASA or to another IP on the LAN that the ASA can proxy for.  

I obviously have no control over the 2812 router and beyond due to it being owned and operated by the other company.

I don't know if it is possible, but what I was thinking was this

nat (outside) 5 10.27.230.0 255.255.255.0
global (inside) 5 10.27.130.100

not sure if that even makes sense, but any help is greatly appreciated.
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

ASKER

oops sorry, one thing i forgot to mention was that those commands I was thinking about would of course nat all traffice from VPN clients (if those commands would even work) and of course I would prefer natting only when from 10.27.230.0/24 to specific IP ranges.
ASKER CERTIFIED SOLUTION
Avatar of stressedout2004
stressedout2004

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks will try this out; however I may not get back to you until Monday. (Taking thurs and fri off so I have to get a ton of other items done before i go)
one more thing.  i read the other thread and just wanted to rephrase one item to make sure I understood the outside_nat access-list.  with that access-list applied it is basically saying that traffic coming in the outside interface being examined for nonat should ignore traffic going from vpn clients to the old company(since that traffic needs to be handled by a nat entry that will be processed later) but do look at everything else (which means do not nat the traffic).  This is because there would already be static entries or global(outside)/nat(inside) or existing xlate entries to take care of any nat translations that would need to occur, correct?
Avatar of stressedout2004
stressedout2004

Yes, pretty much.
Thanks.  Also, I'm scheduled to try this change Monday after work so I make sure not to affect day operations.
I apologize for not posting an update.  I got busy with something else and completely forgot to come back to this.

You can add option 2 to the workable list.  I tried it and it worked on the first try with no problems arising.

Thanks much