Thomas Jacoberger
asked on
VPN Tunnel with Policy NAT
I have a Cisco ASA 5505 configured with four VLans.
VLan4 - 10.0.0.0/24
I also have a Policy NAT in place that masks all outgoing traffic from VLan4 across a specific VPN tunnel to 10.10.42.0/24
The VPN tunnel is up and I can ping the remote host, but they cannot get a response from me.
They need to be able to ping the 10.10.42.0/24 network, which exists only to disguise 10.0.0.0/24
Is this possible considering the subnet they are trying to ping doesn't actually exist.
How do you send traffic back across a tunnel when a policy NAT is used?
Here is some of my config:
interface Vlan4
nameif XXXX
security-level 50
ip address 10.0.0.1 255.255.255.0
access-list inside_nat2_outbound extended permit ip 10.0.0.0 255.255.255.0 host X.X.X.X
access-list inside_nat2_outbound extended permit ip 10.10.42.0 255.255.255.0 host X.X.X.X
access-list VPN_SITE3 extended permit ip 10.0.0.0 255.255.255.0 host X.XX.X
access-list VPN_SITE3 extended permit ip 10.10.42.0 255.255.255.0 host X.X.X.X
access-list inside_nat10_outbound extended permit ip any any
global (outside) 2 10.10.42.0
global (outside) 10 interface
nat (AS400) 2 access-list inside_nat2_outbound
nat (AS400) 10 access-list inside_nat10_outbound
VLan4 - 10.0.0.0/24
I also have a Policy NAT in place that masks all outgoing traffic from VLan4 across a specific VPN tunnel to 10.10.42.0/24
The VPN tunnel is up and I can ping the remote host, but they cannot get a response from me.
They need to be able to ping the 10.10.42.0/24 network, which exists only to disguise 10.0.0.0/24
Is this possible considering the subnet they are trying to ping doesn't actually exist.
How do you send traffic back across a tunnel when a policy NAT is used?
Here is some of my config:
interface Vlan4
nameif XXXX
security-level 50
ip address 10.0.0.1 255.255.255.0
access-list inside_nat2_outbound extended permit ip 10.0.0.0 255.255.255.0 host X.X.X.X
access-list inside_nat2_outbound extended permit ip 10.10.42.0 255.255.255.0 host X.X.X.X
access-list VPN_SITE3 extended permit ip 10.0.0.0 255.255.255.0 host X.XX.X
access-list VPN_SITE3 extended permit ip 10.10.42.0 255.255.255.0 host X.X.X.X
access-list inside_nat10_outbound extended permit ip any any
global (outside) 2 10.10.42.0
global (outside) 10 interface
nat (AS400) 2 access-list inside_nat2_outbound
nat (AS400) 10 access-list inside_nat10_outbound
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Worked like a charm. Thanks.
ASKER