Cisco ASA Series Cli Configuration Manual page 770
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
NAT for VPN
Figure 1-18
Dst: 10.3.3.10
5. SMTP response to
VPN Client
See the following sample NAT configuration for the above network:
! Enable hairpin for non-split-tunneled VPN client traffic:
same-security-traffic permit intra-interface
! Identify local VPN network, & perform object interface PAT when going to Internet:
object network vpn_local
! Identify inside network, & perform object interface PAT when going to Internet:
object network inside_nw
! Use twice NAT to pass traffic between the inside network and the VPN client without
! address translation (identity NAT):
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local
vpn_local
NAT and Site-to-Site VPN
Figure 1-19
want to go to the Internet (for example from 10.1.1.6 in Boulder to www.example.com), you need a
public IP address provided by NAT to access the Internet. The below example uses interface PAT rules.
However, for traffic that you want to go over the VPN tunnel (for example from 10.1.1.6 in Boulder to
10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an
identity NAT rule. Identity NAT simply translates an address to the same address.
Cisco ASA Series CLI Configuration Guide
1-24
Identity NAT for VPN Clients
3. Identity NAT between inside and VPN Client NWs
Src: 10.3.3.10
Dst: 10.1.1.6
4. SMTP request to 10.1.1.6
Src: 10.3.3.10
Inside
10.1.1.6
Src: 10.1.1.6
Dst: 10.3.3.10
6. Identity NAT
subnet 10.3.3.0 255.255.255.0
nat (outside,outside) dynamic interface
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
shows a site-to-site tunnel connecting the Boulder and San Jose offices. For traffic that you
2. ASA decrypts packet; src address is
now local address
209.165.201.10
10.3.3.10
10.3.3.10
10.1.1.6
Internet
10.1.1.6
10.3.3.10
10.3.3.10
209.165.201.10
7. ASA encrypts packet; dst address is now real address
Chapter 1
Information About NAT
1. SMTP request to 10.1.1.6
Src: 209.165.201.10
VPN Client
209.165.201.10
Dst: 209.165.201.10
8. SMTP response to
VPN Client
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
