Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
2
Helpful
8
Replies

ASA NAT for Remote VPN to Internet (Specific)

rob1456657
Level 1
Level 1

‎04-25-2024 06:32 PM

I'm hoping I can explain this clearly enough. I have a remote site with a site-to-site tunnel. From the Home Office and the remote site, we are allowing a split tunnel, but we need to tunnel a specific external site via the home office.

The IP Scope for this particular external entity is already defined in the Tunnel groups, so we know that traffic from the remote site headed for xyz.com is going through the tunnel. At the head office, we can see that clients from the remote site are attempting to access the site, but our NAT rule is not working correctly.

Has anyone configured such access and made it work?

The NAT rule on the head office side should be something like this:

nat (outside,outside) source dynamic REMOTE-SITE interface destination static EXTERNAL-SITE

However, this is not working. When I watch the logs on the head office ASA, I see the remote client going through, but the connection times out.

I know I am missing something simple. I hope someone can help. Thanks in advance!

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎04-25-2024 10:42 PM

@rob1456657 assuming the traffic is tunnelled and the NAT rule is working correctly, you would also need to configure the command same-security-traffic permit intra-interface to allow the traffic to be routed back out the same interface it came in on (outside).

0 Helpful

rob1456657
Level 1
Level 1
In response to Rob Ingram

‎04-26-2024 04:26 AM

@Rob Ingram - same-security settings are configured. That's what's throwing us off. We expected it to work, but instead access to the site times out.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-25-2024 11:04 PM - edited ‎04-26-2024 04:30 AM

nat (outside,outside) source dynamic REMOTE-SITE interface 

No need this' you access internet abd you config destiantion with specific subnet  so not need destiantion in NAT

Note:- this also need ACL from LAN to ANY' this not recommend at all' so from my opinion use VTI' this protect your data and in same time you can push defualt route to remote and make it use HQ as point to access internet.

MHM

0 Helpful

rob1456657
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2024 05:05 AM

It seems you are allowing VPN access to the remote site via the tunnel with that NAT statement. We only need a specific site to be tunneled while all other internet access goes out the remote site's internet connection. I'll try the above and see what happens.

MHM Cisco World
VIP
VIP
In response to rob1456657

‎04-26-2024 05:41 AM

Yes try 

And if you can draw topolgy' let me make double check it

MHM

0 Helpful

rob1456657
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2024 06:06 AM

Please ignore the indicators and certain labels. I used Cisco Packet Tracer to create the topology. This is pretty basic. Thanks.

Diagram.png

Aref Alsouqi
VIP
VIP
In response to rob1456657

‎04-30-2024 02:10 AM

Could you please share the output of "show nat" and "sh run route" from the HO firewall for review?

0 Helpful

MHM Cisco World
VIP
VIP
In response to rob1456657

‎05-01-2024 12:24 AM

check this

Screenshot (377).png

0 Helpful
Customers Also Viewed These Support Documents