PAT to subinterface which is peer for site to site
Posted on 2007-10-17
I will move onsite in a few days and I just need the picture/key idea at the moment. Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..
RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought
Do a many-to-one NAT (PAT) for 172.5.x.0 network to subinterface ip by adding following in my test firewall. Subinterface has security level of 3, and outside has 0.
nat (outside) 5 172.5.x.0 255.255.255.0
global (subinterface) 5 interface
And I get
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Should I type
nat (outside) 5 172.5.x.0 255.255.255.0 outside
Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.