Solved

Cisco ASA NAT question.

Posted on 2016-10-26
9
39 Views
Last Modified: 2016-10-26
I have a ASA that connects to a 1800 to my internal networks. I originally only had a 192.168.100.0 network but recently added a 192.168.101.0 network to the second interface of the 1800. Everything works great internally and both networks route no problem but however when my users use the VPN client to connect from the outside they can only get to the 192.168.100.0 network. I am assuming that this is only a nat'ing issue but i don't know how to resolve it.

When my clients connect to to the VPN via cisco vpn client they get nated to a 10.255.255.XXX address. This appears in my NAT rule as the first rule and looks like this:
      
Source Intf       Dest intf      source                            Destination               service       Source           Destination   Service     Options
1 inside           outside       obj-192.168.100.0        NewVPNPool              any           original--(S)    original           original    no proxy

im needing them to get to both 192.168.100.0 and 192.168.101.0 and I am assuming I can either create a group that contains both network objects in it and put that group in the source object  

-or-

add another nat rule listing the 192.168.101.0 network separately..


recommendations? suggestions please. Thanks in advance for any help and insight you can give.
0
Comment
Question by:Brian E.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860159
Hi,
assuming that you have 2 different subnets 192.168.100.0/24 and 192.168.101.0/24, you need to create a nat exempt for this new subnet; you need to create an access-list as well

max
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860163
something like this:

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

if you have a splittunnel access-list for 192.168.100.0
you will want to have it for new subnet as well

max
0
 

Author Comment

by:Brian E.
ID: 41860171
will it allow me to place 2 objects in the source?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41860194
yes,
you will have 2 separate instructions. Each of them is stating that 192.168.100.0 and 192.168.101.0 respectively, are showing their real address (not NATTED) when talking to 10.255.255.xxx

nat (inside,outside) source static obj-192.168.100.0  obj-192.168.100.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

max
1
 

Author Comment

by:Brian E.
ID: 41860197
yeah under the access-list there is
access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0

so your saying I also need this for the 192.168.101.0 /24 net as well?
0
 

Author Comment

by:Brian E.
ID: 41860200
There is also a NO_NAT access list for 192.168.100.0 is that also maybe needed for the 101 net?
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41860204
yes,
do the same for 101, by adding another entry on the same access-list

max
0
 

Author Comment

by:Brian E.
ID: 41860208
Thank you that worked! I really appreciated the help.
0
 

Author Closing Comment

by:Brian E.
ID: 41860239
Max was awesome. I really appreciated his help
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month6 days, 5 hours left to enroll

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question