• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2444
  • Last Modified:

PAT to subinterface which is peer for site to site

 Hi all
      I will move onsite in a few days and I just need the picture/key idea at the moment. Outside interface of the ASA is endpoint for remote access clients. RA clients receive 172.5.x.0 IPs. I created a sub-interface in DMZ with the ip x.x.x.71. I will establish a site-to-site to that subinterface. Question is..
     RA clients should be able to reach an IP address at remote peer of site-to-site VPN established on subinterface. But remote peer does not want to allow 172.5.x.0 at their site. They want to see a real IP. Here is what I tought
    Do a many-to-one NAT (PAT) for 172.5.x.0 network to subinterface ip by adding following in my test firewall. Subinterface has security level of 3, and outside has 0.

    nat (outside) 5 172.5.x.0 255.255.255.0
    global (subinterface) 5 interface

   And I get

WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

    Should I type
    nat (outside) 5 172.5.x.0 255.255.255.0 outside

   Or should I chenge the security level of outside to 1 and subinterface to 0? What affects would that cause? Is that it? How the split tunneling shold work from now on.

Regards
0
Alan Huseyin Kayahan
Asked:
Alan Huseyin Kayahan
  • 4
1 Solution
 
lrmooreCommented:
Boy, this is a tough one...
I would try it with conditional nat. Something like this:

access-list 101 permit ip 172.5.x.0 255.255.255.0 <remote LAN> <remote mask>
nat (inside) 10 access-list 101
global (subinterface) 10 interface

Your VPN tunnel match acl would include the interface ip to remote LAN
access-list VPN_L2L permit ip host <interface ip> <remote LAN> <remote mask>

Your split-tunnel standard acl would include your local inside subnet, the dmz subnet and the remote lan subnet
 
0
 
Alan Huseyin KayahanAuthor Commented:
nat (inside) 10 access-list 101

but VPN clients are on outside int,
shouldnt it be
nat (outside) 10 access-list 101
?
0
 
Alan Huseyin KayahanAuthor Commented:
x.175.x.193 is listed on the Route details of VPN client in 172.5.x.88. And When I try to browse it, I get the following in syslog

when I do it as you say, I get
6      Oct 19 2007      20:19:56      302014      172.5.x.88      x.175.x.193       Teardown TCP connection 140221 for outside: 172.5.x.88/1913 to outside: x.175.x.193/80 duration 0:00:00 bytes 0 Flow is a loopback (testbayi)
with  

nat (outside) 10 access-list 101


6      Oct 19 2007      19:49:01      109025      172.5.x.88       x.175.x.193       Authorization denied (acl=SCSVPN01_restrict) for user 'testbayi' from 172.5.x.88/1499 to x.175.x.193/80 on interface outside using TCP



0
 
Alan Huseyin KayahanAuthor Commented:
also tried

nat (inside) 10 access-list 101 outside
global (subinterface) 10 interface

I didnt get the following error when entered as above
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

bu still Authorization denied. In SCSVPN01_restrict, related traffic is permited
0
 
Alan Huseyin KayahanAuthor Commented:
 Hi Les
      I used packet-tracer to watch the packet passthrough
      Packet from 172.5.x.5 (RA vpn client on outside) to x.175.x.193 (l2l on subint)
      The packet does not walk through our NAT statement neither yours nor mine.  This must be the cause of auth denied because it tries to go through outside not subinterface. The strange thing is, packet flows through subint first,
route subint x.175.x.193 255.255.255.255 subintgateway

bt then smehow it uses the default outside route instead walking through our NAT
     
what the cause can be?
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now