Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 523
  • Last Modified:

Cisco ASA 5510 Dynamic nat

Good morning everyone,

We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).

I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
0
prlit
Asked:
prlit
  • 2
  • 2
1 Solution
 
rauenpcCommented:
What version of ASA do you have? If you have 8.3 or later you can use twice nat. Example:
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html

Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
0
 
prlitAuthor Commented:
8.2. I could do that for the one client, but our network is pretty complex. I'd have to change about 80+ tunnels to if I change the pool.

Could I do something like..

access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt

And Of course, add the 10.66.253.0/24 to the tunnels.
0
 
rauenpcCommented:
I think you would need to reference the outside interface, and the ACL would need to reference the original source and real destination. I might be wrong on the outside interface part. I always thought that for vpn it was considered the security level of inside, but nat rules had to reference the real interfaces that traffic was traversing.

access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt

This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
0
 
prlitAuthor Commented:
Thanks! I had it right with my commands, but your outside part I didn't have right. Thanks for your help.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now