Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA NAT question.

Posted on 2016-10-26
9
Medium Priority
?
44 Views
Last Modified: 2016-10-26
I have a ASA that connects to a 1800 to my internal networks. I originally only had a 192.168.100.0 network but recently added a 192.168.101.0 network to the second interface of the 1800. Everything works great internally and both networks route no problem but however when my users use the VPN client to connect from the outside they can only get to the 192.168.100.0 network. I am assuming that this is only a nat'ing issue but i don't know how to resolve it.

When my clients connect to to the VPN via cisco vpn client they get nated to a 10.255.255.XXX address. This appears in my NAT rule as the first rule and looks like this:
      
Source Intf       Dest intf      source                            Destination               service       Source           Destination   Service     Options
1 inside           outside       obj-192.168.100.0        NewVPNPool              any           original--(S)    original           original    no proxy

im needing them to get to both 192.168.100.0 and 192.168.101.0 and I am assuming I can either create a group that contains both network objects in it and put that group in the source object  

-or-

add another nat rule listing the 192.168.101.0 network separately..


recommendations? suggestions please. Thanks in advance for any help and insight you can give.
0
Comment
Question by:Brian E.
  • 5
  • 4
9 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 41860159
Hi,
assuming that you have 2 different subnets 192.168.100.0/24 and 192.168.101.0/24, you need to create a nat exempt for this new subnet; you need to create an access-list as well

max
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41860163
something like this:

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

if you have a splittunnel access-list for 192.168.100.0
you will want to have it for new subnet as well

max
0
 

Author Comment

by:Brian E.
ID: 41860171
will it allow me to place 2 objects in the source?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 41860194
yes,
you will have 2 separate instructions. Each of them is stating that 192.168.100.0 and 192.168.101.0 respectively, are showing their real address (not NATTED) when talking to 10.255.255.xxx

nat (inside,outside) source static obj-192.168.100.0  obj-192.168.100.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

max
1
 

Author Comment

by:Brian E.
ID: 41860197
yeah under the access-list there is
access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0

so your saying I also need this for the 192.168.101.0 /24 net as well?
0
 

Author Comment

by:Brian E.
ID: 41860200
There is also a NO_NAT access list for 192.168.100.0 is that also maybe needed for the 101 net?
0
 
LVL 17

Assisted Solution

by:max_the_king
max_the_king earned 2000 total points
ID: 41860204
yes,
do the same for 101, by adding another entry on the same access-list

max
0
 

Author Comment

by:Brian E.
ID: 41860208
Thank you that worked! I really appreciated the help.
0
 

Author Closing Comment

by:Brian E.
ID: 41860239
Max was awesome. I really appreciated his help
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question