Solved

Cisco ASA NAT question.

Posted on 2016-10-26
9
37 Views
Last Modified: 2016-10-26
I have a ASA that connects to a 1800 to my internal networks. I originally only had a 192.168.100.0 network but recently added a 192.168.101.0 network to the second interface of the 1800. Everything works great internally and both networks route no problem but however when my users use the VPN client to connect from the outside they can only get to the 192.168.100.0 network. I am assuming that this is only a nat'ing issue but i don't know how to resolve it.

When my clients connect to to the VPN via cisco vpn client they get nated to a 10.255.255.XXX address. This appears in my NAT rule as the first rule and looks like this:
      
Source Intf       Dest intf      source                            Destination               service       Source           Destination   Service     Options
1 inside           outside       obj-192.168.100.0        NewVPNPool              any           original--(S)    original           original    no proxy

im needing them to get to both 192.168.100.0 and 192.168.101.0 and I am assuming I can either create a group that contains both network objects in it and put that group in the source object  

-or-

add another nat rule listing the 192.168.101.0 network separately..


recommendations? suggestions please. Thanks in advance for any help and insight you can give.
0
Comment
Question by:Brian E.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860159
Hi,
assuming that you have 2 different subnets 192.168.100.0/24 and 192.168.101.0/24, you need to create a nat exempt for this new subnet; you need to create an access-list as well

max
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860163
something like this:

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

if you have a splittunnel access-list for 192.168.100.0
you will want to have it for new subnet as well

max
0
 

Author Comment

by:Brian E.
ID: 41860171
will it allow me to place 2 objects in the source?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41860194
yes,
you will have 2 separate instructions. Each of them is stating that 192.168.100.0 and 192.168.101.0 respectively, are showing their real address (not NATTED) when talking to 10.255.255.xxx

nat (inside,outside) source static obj-192.168.100.0  obj-192.168.100.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

max
1
 

Author Comment

by:Brian E.
ID: 41860197
yeah under the access-list there is
access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0

so your saying I also need this for the 192.168.101.0 /24 net as well?
0
 

Author Comment

by:Brian E.
ID: 41860200
There is also a NO_NAT access list for 192.168.100.0 is that also maybe needed for the 101 net?
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41860204
yes,
do the same for 101, by adding another entry on the same access-list

max
0
 

Author Comment

by:Brian E.
ID: 41860208
Thank you that worked! I really appreciated the help.
0
 

Author Closing Comment

by:Brian E.
ID: 41860239
Max was awesome. I really appreciated his help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
replacing 2811 to ISR 4331 2 42
ASA 5506X create a simple DMZ 4 43
vpn to Azure 2 22
Password recovery 2950 is Deleting configuration Why 8 36
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question