Solved

Cisco ASA NAT question.

Posted on 2016-10-26
9
33 Views
Last Modified: 2016-10-26
I have a ASA that connects to a 1800 to my internal networks. I originally only had a 192.168.100.0 network but recently added a 192.168.101.0 network to the second interface of the 1800. Everything works great internally and both networks route no problem but however when my users use the VPN client to connect from the outside they can only get to the 192.168.100.0 network. I am assuming that this is only a nat'ing issue but i don't know how to resolve it.

When my clients connect to to the VPN via cisco vpn client they get nated to a 10.255.255.XXX address. This appears in my NAT rule as the first rule and looks like this:
      
Source Intf       Dest intf      source                            Destination               service       Source           Destination   Service     Options
1 inside           outside       obj-192.168.100.0        NewVPNPool              any           original--(S)    original           original    no proxy

im needing them to get to both 192.168.100.0 and 192.168.101.0 and I am assuming I can either create a group that contains both network objects in it and put that group in the source object  

-or-

add another nat rule listing the 192.168.101.0 network separately..


recommendations? suggestions please. Thanks in advance for any help and insight you can give.
0
Comment
Question by:Brian E.
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860159
Hi,
assuming that you have 2 different subnets 192.168.100.0/24 and 192.168.101.0/24, you need to create a nat exempt for this new subnet; you need to create an access-list as well

max
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860163
something like this:

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

if you have a splittunnel access-list for 192.168.100.0
you will want to have it for new subnet as well

max
0
 

Author Comment

by:Brian E.
ID: 41860171
will it allow me to place 2 objects in the source?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41860194
yes,
you will have 2 separate instructions. Each of them is stating that 192.168.100.0 and 192.168.101.0 respectively, are showing their real address (not NATTED) when talking to 10.255.255.xxx

nat (inside,outside) source static obj-192.168.100.0  obj-192.168.100.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

max
1
 

Author Comment

by:Brian E.
ID: 41860197
yeah under the access-list there is
access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0

so your saying I also need this for the 192.168.101.0 /24 net as well?
0
 

Author Comment

by:Brian E.
ID: 41860200
There is also a NO_NAT access list for 192.168.100.0 is that also maybe needed for the 101 net?
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41860204
yes,
do the same for 101, by adding another entry on the same access-list

max
0
 

Author Comment

by:Brian E.
ID: 41860208
Thank you that worked! I really appreciated the help.
0
 

Author Closing Comment

by:Brian E.
ID: 41860239
Max was awesome. I really appreciated his help
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question