The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Cisco ASA 5510 Dynamic nat
Posted on 2012-12-28
Good morning everyone,
We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).
I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).
I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
What version of ASA do you have? If you have 8.3 or later you can use twice nat. Example:
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html
Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html
Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
8.2. I could do that for the one client, but our network is pretty complex. I'd have to change about 80+ tunnels to if I change the pool.
Could I do something like..
access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt
And Of course, add the 10.66.253.0/24 to the tunnels.
Could I do something like..
access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt
And Of course, add the 10.66.253.0/24 to the tunnels.
I think you would need to reference the outside interface, and the ACL would need to reference the original source and real destination. I might be wrong on the outside interface part. I always thought that for vpn it was considered the security level of inside, but nat rules had to reference the real interfaces that traffic was traversing.
access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt
This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt
This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc.
This document explains the different types of consol…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special.
It's completely agentless, but does let you create an agent, if you desire.
It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 13 hours left to enroll
626 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.