Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5510 Dynamic nat

Posted on 2012-12-28
4
Medium Priority
?
521 Views
Last Modified: 2012-12-28
Good morning everyone,

We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).

I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
0
Comment
Question by:prlit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38727346
What version of ASA do you have? If you have 8.3 or later you can use twice nat. Example:
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html

Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
0
 
LVL 1

Author Comment

by:prlit
ID: 38727386
8.2. I could do that for the one client, but our network is pretty complex. I'd have to change about 80+ tunnels to if I change the pool.

Could I do something like..

access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt

And Of course, add the 10.66.253.0/24 to the tunnels.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 38727565
I think you would need to reference the outside interface, and the ACL would need to reference the original source and real destination. I might be wrong on the outside interface part. I always thought that for vpn it was considered the security level of inside, but nat rules had to reference the real interfaces that traffic was traversing.

access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt

This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
0
 
LVL 1

Author Closing Comment

by:prlit
ID: 38728286
Thanks! I had it right with my commands, but your outside part I didn't have right. Thanks for your help.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Netscaler #MSSQL #Load Balance
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question