Cisco ASA Series Configuration Manual page 222

NAT for VPN
Figure 10-15
1. IM to 10.2.2.78
Src: 10.1.1.6
10.1.1.6
Src: 10.1.1.6
A. HTTP to
www.example.com
The following figure shows a VPN client connected to ASA1 (Boulder), with a Telnet request for a server
(10.2.2.78) accessible over a site-to-site tunnel between ASA1 and ASA2 (San Jose). Because this is a
hairpin connection, you need to enable intra-interface communication, which is also required for
non-split-tunneled Internet-bound traffic from the VPN client. You also need to configure identity NAT
between the VPN client and the Boulder & San Jose networks, just as you would between any networks
connected by VPN to exempt this traffic from outbound NAT rules.
Figure 10-16
10.1.1.6
See the following sample NAT configuration for ASA1 (Boulder):
! Enable hairpin for VPN client traffic:
same-security-traffic permit intra-interface
! Identify local VPN network, & perform object interface PAT when going to Internet:
Cisco ASA Series Firewall CLI Configuration Guide
10-18
Interface PAT and Identity NAT for Site-to-Site VPN
2. Identity NAT between NWs connected by VPN
Src: 10.1.1.6
Dst: 10.2.2.78
ASA Outside IP: 203.0.113.1
Inside
Boulder Site-to-Site VPN Tunnel
ASA1
10.1.1.6 203.0.113.1:6070
B. ASA performs interface PAT for
outgoing traffic.
VPN Client Access to Site-to-Site VPN
2. ASA decrypts packet; src address is
now local address
209.165.201.10 10.3.3.10
Inside
Boulder
Site-to-Site VPN Tunnel
ASA1
Src: 10.3.3.10 10.3.3.10
Dst: 10.2.2.78 10.2.2.78
3. Identity NAT between VPN Client &
San Jose NWs; intra-interface config req'd
Chapter 10
10.1.1.6
10.2.2.78
Internet
ASA2
Src: 203.0.113.1:6070
C. HTTP request to www.example.com
1. HTTP request to 10.2.2.78
Src: 209.165.201.10
Internet
ASA2
NAT Examples and Reference
3. IM received
Src: 10.1.1.6
Inside
San Jose
10.2.2.78
www.example.com
VPN Client
209.165.201.10
Inside
San Jose
10.2.2.78
Src: 10.3.3.10
4. HTTP request received