Solved

Cisco ASA 5510 Dynamic nat

Posted on 2012-12-28
4
520 Views
Last Modified: 2012-12-28
Good morning everyone,

We currently have a VPN setup with a client. We now need our home users to access their resources as well. Normally I can just add the home users pool (192.168.253.0) to each end of the tunnel, however the client already has a VPN with a 192.168.253.0. So, my idea is to have the 192.168.253.0/24 translated into 10.66.253.0/24 when it tries to hit the client side (192.168.100.0/24).

I'm pretty sure I need to setup a Dynamic nat policy, but I haven't really done this before. Any help would be beneficial! Thanks
0
Comment
Question by:prlit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38727346
What version of ASA do you have? If you have 8.3 or later you can use twice nat. Example:
http://www.fir3net.com/Cisco-ASA/cisco-asa-twice-nat.html

Depending on the complexity of your ASA and network, it might be easier to just change the VPN client pool.
0
 
LVL 1

Author Comment

by:prlit
ID: 38727386
8.2. I could do that for the one client, but our network is pretty complex. I'd have to change about 80+ tunnels to if I change the pool.

Could I do something like..

access-list Exempt permit ip 10.66.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (inside) 2 10.66.253.0 netmask 255.255.255.0
nat (inside) 2 access-list Exempt

And Of course, add the 10.66.253.0/24 to the tunnels.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38727565
I think you would need to reference the outside interface, and the ACL would need to reference the original source and real destination. I might be wrong on the outside interface part. I always thought that for vpn it was considered the security level of inside, but nat rules had to reference the real interfaces that traffic was traversing.

access-list Exempt permit ip 192.168.253.0 255.255.255.0 192.168.100.0 255.255.255.0
global (outside) 2 10.66.253.0 netmask 255.255.255.0
nat (outside) 2 access-list Exempt

This should translate the source 192.168.253.0/24 to 10.66.253.0/24 when destined for 192.168.100.0. You are correct about adding the subnet to the tunnel. You will probably need to add a nonat rule for the return traffic so that 192.168.100.0 --> 10.66.253.0 doesn't get translated again.
0
 
LVL 1

Author Closing Comment

by:prlit
ID: 38728286
Thanks! I had it right with my commands, but your outside part I didn't have right. Thanks for your help.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question