WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!
Solved
Cisco ASA 5510 Dynamic nat
Posted on 2012-12-28
Good morning everyone,
We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).
I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).
I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
What version of ASA do you have? If you have 8.3 or later you can use twice nat. Example:
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html
Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html
Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
8.2. I could do that for the one client, but our network is pretty complex. I'd have to change about 80+ tunnels to if I change the pool.
Could I do something like..
access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt
And Of course, add the 10.66.253.0/24 to the tunnels.
Could I do something like..
access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt
And Of course, add the 10.66.253.0/24 to the tunnels.
I think you would need to reference the outside interface, and the ACL would need to reference the original source and real destination. I might be wrong on the outside interface part. I always thought that for vpn it was considered the security level of inside, but nat rules had to reference the real interfaces that traffic was traversing.
access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt
This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt
This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
#Citrix #Netscaler #MSSQL #Load Balance
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
- Networking Hardware-Other
- MultiMedia Applications
- Switches / Hubs
- Displays / Monitors
- ATEN Technology
- Hardware, Network Architecture, *Kernel-based Virtual Machine (KVM)
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month4 days, 21 hours left to enroll
670 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.