ASA 5510 - Config NAT on VPN

Here is my situation.  My company recently purchased out a division of another company.  We have to maintain a link to the old company so that the purchased divisions can maintain communicating to their Oracle instance and keep operating.  I have been able to move a lot of traffic from the old company's network and so our network now looks like at the site I am working on.

Internet <--> [Public IP] ASA5510[10.27.130.2] <--> 2501Router
                                                                                      [10.27.130.3]
                                                                                           ^
                                                                                            |
 Old company <--> 2812 Router[10.27.130.1] <--> LAN [10.27.130.0/24]

The 2501 router is a temporary router that acts as the default gateway for the LAN.  this router just says that for the IP ranges for the old company and Oracle go to the 2812 router, otherwise go to the ASA.

I have remote VPN configured and working on the ASA (I am using the 10.27.230.0/24 range for those clients.  Can ping inside hosts, etc.  Now when I try to ping the oracle server I am willing to bet that the packet is reaching the server, however of course on the return trip thru the old company's network, they have no clue where the 10.27.230.0/24 network is or they have one already and are routing it a different way.  

What I want to do is for certain IP ranges (we'll use 172.16.5.0/24 and 192.168.100.0/24 for examples) when the VPN clients want to communicate with those IP ranges, that there is a PAT done to the 10.27.230.0/24 VPN client to perferably the 10.27.130.2 inside interface of the ASA or to another IP on the LAN that the ASA can proxy for.  

I obviously have no control over the 2812 router and beyond due to it being owned and operated by the other company.

I don't know if it is possible, but what I was thinking was this

nat (outside) 5 10.27.230.0 255.255.255.0
global (inside) 5 10.27.130.100

not sure if that even makes sense, but any help is greatly appreciated.
LVL 25
Cyclops3590Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Author Commented:
oops sorry, one thing i forgot to mention was that those commands I was thinking about would of course nat all traffice from VPN clients (if those commands would even work) and of course I would prefer natting only when from 10.27.230.0/24 to specific IP ranges.
0
stressedout2004Commented:
This is similar to what we have done on the following thread:

http://www.experts-exchange.com/Security/Firewalls/Q_21819590.html

I have basically tested config #1 below using PIX version 7.x, since ASA and PIX pretty much
has the same code with some enhancement for the ASA code, it should work just fine.

On config #1, the VPN users which is assigned an IP from the 10.27.230.0/24 subnet will be translated
to 10.27.130.100 whenever it communicates with the internal network which includes the actual LAN and
that of the old company.

On config #2, which I have not tested, the VPN users will be PATted to 10.27.130.100 only if it will communicate
with the old company (1.1.1.0/24).

Hope it  helps

#############################################################################
Variables used:

1.1.1.0/24 represents the old company
2.2.2.0/24 represents the LAN
10.27.130.100 is the PAT ip address used to translate VPN users on the inside

1) Outside NAT only (Tested to be working):


ip local pool vpn_pool 10.27.230.1-10.27.230.254

access-list inside_outbound_nat0_acl permit ip 1.1.1.0 255.255.255.0 10.27.230.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 2.2.2.0 255.255.255.0 10.27.230.0 255.255.255.0

access-list outside_nat deny ip 10.27.230.0 255.255.255.0 any
access-list outside_nat permit ip any any

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (outside) 0 access-list outside_nat OUTSIDE


nat (outside) 2 10.27.230.0 255.255.255.0 OUTSIDE
global (inside) 2 10.27.130.100


2) Combining outside NAT and policy NAT (Not Tested):

ip local pool vpn_pool 10.27.230.1-10.27.230.254

access-list inside_outbound_nat0_acl permit ip 1.1.1.0 255.255.255.0 10.27.230.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 2.2.2.0 255.255.255.0 10.27.230.0 255.255.255.0

access-list outside_nat deny ip 10.27.230.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list outside_nat permit ip any any

access-list policy_nat permit ip 10.27.230.0 255.255.255.0 1.1.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (outside) 0 access-list outside_nat OUTSIDE

nat (outside) 2 access-list policy_nat OUTSIDE
global (inside) 2 10.27.130.100
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cyclops3590Author Commented:
Thanks will try this out; however I may not get back to you until Monday. (Taking thurs and fri off so I have to get a ton of other items done before i go)
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Cyclops3590Author Commented:
one more thing.  i read the other thread and just wanted to rephrase one item to make sure I understood the outside_nat access-list.  with that access-list applied it is basically saying that traffic coming in the outside interface being examined for nonat should ignore traffic going from vpn clients to the old company(since that traffic needs to be handled by a nat entry that will be processed later) but do look at everything else (which means do not nat the traffic).  This is because there would already be static entries or global(outside)/nat(inside) or existing xlate entries to take care of any nat translations that would need to occur, correct?
0
stressedout2004Commented:
Yes, pretty much.
0
Cyclops3590Author Commented:
Thanks.  Also, I'm scheduled to try this change Monday after work so I make sure not to affect day operations.
0
Cyclops3590Author Commented:
I apologize for not posting an update.  I got busy with something else and completely forgot to come back to this.

You can add option 2 to the workable list.  I tried it and it worked on the first try with no problems arising.

Thanks much
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.