Solved

Cisco ASA NAT question.

Posted on 2016-10-26
9
35 Views
Last Modified: 2016-10-26
I have a ASA that connects to a 1800 to my internal networks. I originally only had a 192.168.100.0 network but recently added a 192.168.101.0 network to the second interface of the 1800. Everything works great internally and both networks route no problem but however when my users use the VPN client to connect from the outside they can only get to the 192.168.100.0 network. I am assuming that this is only a nat'ing issue but i don't know how to resolve it.

When my clients connect to to the VPN via cisco vpn client they get nated to a 10.255.255.XXX address. This appears in my NAT rule as the first rule and looks like this:
      
Source Intf       Dest intf      source                            Destination               service       Source           Destination   Service     Options
1 inside           outside       obj-192.168.100.0        NewVPNPool              any           original--(S)    original           original    no proxy

im needing them to get to both 192.168.100.0 and 192.168.101.0 and I am assuming I can either create a group that contains both network objects in it and put that group in the source object  

-or-

add another nat rule listing the 192.168.101.0 network separately..


recommendations? suggestions please. Thanks in advance for any help and insight you can give.
0
Comment
Question by:Brian E.
  • 5
  • 4
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860159
Hi,
assuming that you have 2 different subnets 192.168.100.0/24 and 192.168.101.0/24, you need to create a nat exempt for this new subnet; you need to create an access-list as well

max
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41860163
something like this:

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

if you have a splittunnel access-list for 192.168.100.0
you will want to have it for new subnet as well

max
0
 

Author Comment

by:Brian E.
ID: 41860171
will it allow me to place 2 objects in the source?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41860194
yes,
you will have 2 separate instructions. Each of them is stating that 192.168.100.0 and 192.168.101.0 respectively, are showing their real address (not NATTED) when talking to 10.255.255.xxx

nat (inside,outside) source static obj-192.168.100.0  obj-192.168.100.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

nat (inside,outside) source static obj-192.168.101.0  obj-192.168.101.0 destination static obj-10.255.255.XXX obj-10.255.255.XXX

max
1
 

Author Comment

by:Brian E.
ID: 41860197
yeah under the access-list there is
access-list SplitTunnel standard permit 192.168.100.0 255.255.255.0

so your saying I also need this for the 192.168.101.0 /24 net as well?
0
 

Author Comment

by:Brian E.
ID: 41860200
There is also a NO_NAT access list for 192.168.100.0 is that also maybe needed for the 101 net?
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41860204
yes,
do the same for 101, by adding another entry on the same access-list

max
0
 

Author Comment

by:Brian E.
ID: 41860208
Thank you that worked! I really appreciated the help.
0
 

Author Closing Comment

by:Brian E.
ID: 41860239
Max was awesome. I really appreciated his help
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question