Cisco ASA Series Configuration Manual page 224
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
NAT for VPN
The following figure shows a VPN client Telnetting to the ASA inside interface. When you use a
management-access interface, and you configure identity NAT according to
VPN, page 10-15
lookup option. Without route lookup, the ASA sends traffic out the interface specified in the NAT
command, regardless of what the routing table says; in the below example, the egress interface is the
inside interface. You do not want the ASA to send the management traffic out to the inside network; it
will never return to the inside interface IP address. The route lookup option lets the ASA send the traffic
directly to the inside interface IP address instead of to the inside network. For traffic from the VPN client
to a host on the inside network, the route lookup option will still result in the correct egress interface
(inside), so normal traffic flow is not affected. See the
more information about the route lookup option.
Figure 10-17
See the following sample NAT configuration for the above network:
! Enable hairpin for non-split-tunneled VPN client traffic:
same-security-traffic permit intra-interface
! Enable management access on inside ifc:
management-access inside
! Identify local VPN network, & perform object interface PAT when going to Internet:
object network vpn_local
subnet 10.3.3.0 255.255.255.0
nat (outside,outside) dynamic interface
! Identify inside network, & perform object interface PAT when going to Internet:
object network inside_nw
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Cisco ASA Series Firewall CLI Configuration Guide
10-20
or
NAT and Site-to-Site VPN, page
VPN Management Access
2. ASA decrypts packet; src address is now local address
209.165.201.10
3. Identity NAT between inside &
VPN client NWs; route-lookup req'd
Src: 10.3.3.10
10.3.3.10
Dst: 10.1.1.1
10.1.1.1
ASA Inside IP:10.1.1.1
Inside
Src: 10.1.1.1
Dst: 10.3.3.10
Dst: 10.3.3.10
5. Telnet response
6. Identity NAT
to VPN Client
7. ASA encrypts packet; dst address is now real address
10-17, you must configure NAT with the route
Determining the Egress Interface, page 10-14
10.3.3.10
4. Telnet request to 10.1.1.1
Src: 10.3.3.10
Internet
Dst: 209.165.201.10
8. Telnet response to
VPN Client
10.1.1.1
10.3.3.10
Dst: 10.3.3.10
209.165.201.10
Chapter 10
NAT Examples and Reference
NAT and Remote Access
1. Telnet request to ASA inside ifc;
management-access config req'd
Src: 209.165.201.10
VPN Client
209.165.201.10
for
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
