1. Home
  2. Cisco Systems
  3. Cisco VPN Client Nat

Cisco VPN Client Nat

Greetings.

We have clients that access our vpn from home. When they attach to our lan, they receive a 10.1.15.x address from our dhcp pool.

Recently, one of our employees has moved into an office that has their own network. They too have a 10.1.15.x network routed.

Our client can establish the VPN but does not get connectivity. I'm guessing I need to do a nat, but am unsure of how to do it with a client VPN. I've done this several times with site to site.

Can someone point me in the right direction?

Thank you

Kilgore

Reply to
troute_kilgore
Loading thread data ...

Reply to
troute_kilgore

Hi Kilgore,

There are the two ways to allow traffic to pass through the PIX Firewall without translating the source address:

  1. Issue the no nat command.

The nat (inside) 0 0.0.0.0 0.0.0.0 command allows traffic to pass from the inside to the outside without translating the source addresses, but this version of the nat 0 command does not allow for any outside-to-inside traffic.

The nat (inside) 0 access-list nonat command allows traffic to pass from the inside to the outside and also provides an option to permit outside-to-inside traffic based on the nonat Access Control List (ACL), an ACL applied to the outside interface.

  1. Issue the static command.

The static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 command creates an xlate table, but there is really no translation taking effect because the addresses are translated to themselves.

This solution also provides the option to allow outside-to-inside traffic based on an ACL applied to the outside interface.

Sincerely,

Brad Reese

formatting link

Reply to
www.BradReese.Com

Reply to
troute_kilgore

I'm having the exact same problem. My DHCP pool gives out 10.1.23.x addresses to clients.

The network my client sometimes works at also has a 10.1.23.x network.

They c> > Hi Kilgore,

Reply to
dempsey.bill

2 things that I would suggest.

  1. Do not use a pool for VPN that is the same as your internal subnet. For example if the internal subnet was 192.168.0.0/24 I would use the pool of 192.168.1.0/24 for the VPN users.

  2. You need to exempt what ever address are in the VPN pool from NAT, For example if your internal subnet is 192.168.0.0/24 and your VPN pool is 192.168.1.0/24 you would write a statement such as:

nat (inside) 0 access-list crypto-map-20 access-list crypto-map-20 permit ip 192.168.1.0 255.255.255.0

192.168.0.0 255.255.255.0

HTH.

Reply to
Chad Mahoney

Agreed. I don't have a control over which facilities my clients visit, or their network setup.

Thanks! I'll give that a try!

Reply to
dempsey.bill

Not talking about remote sites your users visits I mean the part of your config that defines the IP pool your users will be assigned an IP address from when they connect.

Line in your config looks like:

ip local pool VPN 192.168.0.200-192.168.0.215 mask 255.255.255.0

Reply to
Chad Mahoney

Reply to
dempsey.bill

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.