Multiple NAT Outside beaches?

HI -.

I hope someone can advise me if this scenario is possible.

Here's my situation. I just installed a second WAN link and a border router additional ISPs to double-House using BGP. To facilitate the management, we will use one of the 2 24 we control now, however one that we will use later, the new block comes from the second ISP, which means of course go through a change of ip address.

I try to avoid a plan where I have to change all the public IP addresses on a weekend, due to the amount of the different VPN and other specific IP connections than other organizations have with us, while I was trying to plan a gradual passage.

I have a single 515 (6.3) for outbound traffic, and add another is not possible for about 6 months (lease is expected to return for the time in which we will go to the ASA). Finally addresses outside the firewall will be a single/24 network, but in the meantime, I would use the two lines (using NAT) on the firewall.

By design, the GW for the firewall is currently concert port on the original router. This router is using the static routes for the trafficking of exit and entry to our ASN, but the newly installed router is using BGP. Before I turn BGP on the original router, I have a show a connection between the two and I want to implement based on routing strategies to define all traffic from the new/24 range with a next hop for the new router BGP running.

I tried yesterday, and I had no connectivity even ping on the edge router using this new set of IP addresses. Is it possible to implement these two ranges of IPs for NAT on the firewall and have the two lines at the same gateway IP address.

I know it's probably confused, so if you need clarification in any field, let me know.

Thanks for your help.

I don't see why it would not work as long as you have control of the config of the outside PIX next hop router. Set up the first subnet as usual, then get your second subnet at IP of PIX. Implement the NATs on PIX as you wish. On the gateway router you need to establish routing strategy (map of the itinerary) so that it uses an ACL to look at the source IP address coming from the PIX, routes an ISP, second rate would vary other ISPS.

Tags: Cisco Security

Similar Questions

  • Hub topology and talk: can I traffic Internet road to PC at a radius of the site through the tunnel and NAT outside in the world on the 5520 hub?

    I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.

    I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.

    PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.

    I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.

    Is that what I want to accomplish even possible with the ASA?

    Hi Neal,

    Yes, it's quite possible! below is a loss of things you need to do:

    (1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.

    (2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.

    (3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:

    NAT (outside) 1 192.168.1.0 255.255.255.0

    NAT (outside) 1 192.168.2.0 255.255.255.0

    Global 1 interface (outside)

    Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.

    I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.

    Let me know if it helps!

    Thank you and best regards,

    Assia

  • NAT outside source to a server internal

    I worked on it for months and I'm still not able to get this working properly. What I want to accomplish is to allow Usablenet to connect to our staging web server from the internet with a range of IPs for Usablenet.

    The strange thing is that this seems not correct

    network web_staging_net object

    NAT (web_staging, outside) dynamic interface

    NAT (web_staging, outside) source static obj - static destination obj - 209.x.x.97 Useablenet Useablenet 10.x.x.197!

    ACL

    outside_in list extended access permitted tcp object-group Useablenet host 10.x.x.197 eq www

    Any help will be greatly appreciated.

    What is the configuration of the web_staging_net object? What is a subnet or a single host?

    I recommend the creation of a host entry for 10.x.x.197 and remove static NAT entry of the other object.

    Something like this:

    network web_10.x.x.197 object

    Home 10.x.x.197

    NAT (web_staging, outside) static obj - 209.x.x.97

  • VPN using ip with NAT outside

    I am trying to configure a tunnel linking our Cisco 5520 with a 5550 using one of our external ips through that tunnel natted. For some reason any traffic that should knock this tunnel through global NAT. Here are the configs I have for this tunnel:

    access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4

    Outside_cryptomap_60 list extended access allowed inside-network host 255.255.254.0 ip 1.2.3.4

    permit Outside_cryptomap_60 to access extended list ip host 66.85.99.170 1.2.3.4

    Global (1 66.77.88.135 255.255.255.192 subnet mask outside)

    public static 66.77.88.170 (inside, outside) - list of access policy-nat

    Crypto ipsec transform-set esp-3des esp-md5-hmac TRANSFORM_SET

    crypto Outside_map 60 card matches the address Outside_cryptomap_60

    card crypto Outside_map 60 set peer 200.200.200.200

    card crypto Outside_map 60 the transform-set TRANSFORM_SET value

    tunnel-group 200.200.200.200 type ipsec-l2l

    tunnel-group 200.200.200.200 General attributes

    Group Policy - by default-site2site

    IPSec-attributes tunnel-group 200.200.200.200

    pre-shared key *.

    If I ping 1.2.3.4 from an inside host ip I see in the newspapers that he uses 66.77.88.136 as the NAT and not of 66.77.88.170. Do you see something wrong with this configuration?

    You have fundamentally wrong ACL in the wrong places.

    It should be as follows--->

    crypto Outside_map 60 card matches the address policy-nat

    card crypto Outside_map 60 set peer 200.200.200.200

    card crypto Outside_map 60 the transform-set TRANSFORM_SET value

    access list policy-nat extended permit ip host 66.77.88.170 1.2.3.4

    public static 66.77.88.170 (inside, outside) - Outside_cryptomap_60 access list

    Outside_cryptomap_60 list extended access allowed inside-network ip 255.255.254.0 host 1.2.3.4---> this acl has no need of the 2nd line, you have

  • even host multiple NATs

    hub 3030... I have a local host that needs to access the L2L multiple tunnels with different requirements of NAT:

    I currently have that configured NAT...

    source destination of 134.x.x.x/32 the NAT static 10.1.1.1/32 ANY

    I need to configure the NAT...

    source 10.1.1.1/32 static NAT 10.99.17.x/32 destination 32.x.x.x/32

    Is this possible?  I tried and I get "Source and the address of the remote network.

    conflict with an existing rule.  The source or the address of the remote network

    must be changed. "  This is the conflict because of the destination of ANY pre-existing rule?

    I thought that, since the destination of the rule I have to add is more specific than that

    should work.

    Thanks for your help, Anne

    Hi Anne,.

    Yes the conflict error that we see is due to the pre-existing State OF destination. Ideally, we need to have more specific static instructions in static rules to have several nat for the same source. So I would say that we find out the list of remote networks for which we need the 1 translation (134.x.x.x/32) and apply the static rule (may need more than 1 static rule if several remote subnets are the case), and similarly a plus for the new static we are looking (for the 32.x.x.x/32 destination).

    Now on some of the other safety devices, we have a work around for our scenario, but I do not know if the version of the software running on your hub it would support.

    Try to remove the static rule to all (1st statement) and then apply the new rule first (to 32.x.x.x/32). After that, apply the original static rule (destination at all). The idea is to have more State static speific first, and then the General static (all) the rule for the rest of the destinations. I suggest you try this in a maintenance window to avoid any impact on users.

    Let me know if that helps...

    See you soon,.

    Christian V

  • Multiple NATS

    East - appropriate/proper NAT several individual IP follows. If so, is there a maximum amount of statements that I can do?

    example:

    access-list 101 permit ip 10.1.1.1 host everything

    access-list 102 permit ip 10.1.1.2 host everything

    access-list 103 allow the host ip 10.1.1.3 any

    NAT (inside) 1 101 access list

    NAT (inside) - 2 102 access list

    NAT (inside) - 3 103 access list

    Global (dmz1) 1 192.168.1.1 255.255.255.0

    Global (dmz1) 2 192.168.1.2 255.255.255.0

    Global (dmz1) 3 192.168.1.3 255.255.255.0

    Hello

    Yes, in order to allow specific machines get their relevant nat, you must remove these IP of the NAT in common, so in your NAT/Global case of statements will look like below:

    NAT (inside) 1 10.0.0.0 255.255.255.0

    NAT (inside) 2 10.1.1.1 255.255.255.255

    NAT (inside) 3 10.1.1.2 255.255.255.255

    Global (dmz) 1 192.168.1.3 - 192.168.1.253 netmask 255.255.255.0

    Global (dmz) 1 192.168.1.254 (this so if you run your pool address this will PAT)

    Global (dmz) 2 192.168.1.1

    Global (dmz) 3 192.168.1.2

    HTH,

    MD

  • 2600 NAT outside public to private inside addresses

    I would like to put servers with private addresses at disposal of guests (with public addresses) on the other side a router. Can someone give me a pointer?

    TIA

    you want to configure static NAT.

    Suppose that 10.10.1.5 is the server inside and 193.234.211.12 is your free external IP. Joanie configure this line:

    ' ip nat inside source static 10.10.1.5 193.234.211.12.

    And all those who will have access to the external IP address will go to internal (static nat)

    see you soon

    Robert

  • dynamic interface of NAT (outside, outside), equivalent to IOS

    For a user remote vpn that just want to have access to the internet at the moment. now I know you have to put the following in the config during the use of ASA, what is the equivalent of IOS?

    NAT (outdoors,outdoors) dynamic interface.

    Thank you

    Han

    Hello Han,.

    You are right. !

    Harish.

  • Multiple outside NAT at the same internal IP address

    In my view, the answer is no, but wanted to check.

    Can I have multiple NATs on the same interface to a single internal IP?

    For example.

    static (inside, outside) a.a.a.2 10.20.30.248 netmask 255.255.255.255

    static (inside, outside) a.a.a.3 10.20.30.248 netmask 255.255.255.255

    Where the subnet and the IP block is also on for two external NATs.

    Hello

    If you try to do the following:

    definition of the IP 10.20.30.248 to a.a.a.2

    and

    definition of the IP 10.20.30.248 to a.a.a.3.

    Learn to translate the internal ip address to two external ip addresses. If Yes, then this is not possible.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered, if you feel that your query is resolved. Note the useful messages.

  • IP NAT Inside multiple ISP

    Hello

    I would ask if I have 2 IP address from the ISP 1 and 2 of the ISP block, I have 2 inside the NAT map to 1 a web server, lets say:

    100.0.0.10 (ip ISP 1) and 200.0.0.10 (ip 2 PSI) to map on my web server.

    My question is, lets say I have 2 default route (0.0.0.0/0) for both my ISP. How can I do plan road so if the customer comes ISP 1 and access NAT to my web server (100.0.0.10), then the response from my web server will return to isps1 and do not use ISP2?

    Hello

    As far as I understand, the OP is concerned about the HTTP response.  The OP need that traffic coming from isps1 back to isps1 and traffic from ISP2 goes back to ISP2. Idea of Richard to have the second IP address and a roadmap is the solution.

    IP addresses of the server

    192.168.1.2

    192.168.1.3

    Router config

    interface FastEthernet0/0/0
    IP 192.168.1.1 255.255.255.0
    IP nat inside
     the property policy intellectual-card WEB

    interface FastEthernet0/0
    IP 100.0.0.2 255.255.255.0
    NAT outside IP

    interface FastEthernet1/0
    IP 200.0.0.2 255.255.255.0
    NAT outside IP

    IP nat inside source static 192.168.1.2 100.0.0.2
    IP nat inside source 192.168.1.3 static 200.0.0.2

    access-list 20 allow 192.168.1.2
    access-list 30 allow 192.168.1.3

    WAN allowed 10 route map
    corresponds to the IP 20
    set ip next-hop 100.0.0.1

    WAN allowed 20 route map
    corresponds to the IP 30
    IP 200.0.0.1 jump according to the value

    **************************************

    It will be useful,

    Masoud

  • How can do NAT on (internet) outside inside LAN servers using a public IP address?

    How can do NAT on (internet) outside inside LAN servers using a public IP address?

    Should I using the route?

    Lets say that 99.3.81.66 is your public IP address and ISP is on INT G0/0

    IP nat inside source list 1 interface GigabitEthernet0/0 overload

    IP nat inside source static tcp 10.3.81.6 443 993.81.66 443 extensible
    IP nat inside source static tcp 10.3.81.61 80 99.3.81.66 80 extensible

    access-list 1 permit 10.3.81.0 0.0.0.255

    Int G0/0

    NAT outside IP

    int g0/2

    IP nat inside

  • Cisco router access outside the local network interface

    Hi all!

    I have Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) with firewall area and based on routing strategies.

    Everything works fine, but now I need to have the ability to access external router interface IP LAN addresses.

    For example, I PAT 192.168.4.1 port 8443 to the outside interface IP (93.93.93.2 for example) and I need to check LAN 93.93.93.2:8443.

    ! PAT:

    IP nat inside source static tcp 192.168.4.1 8443 93.93.93.1 - extensible 8443 SDM_RMAP_1 road map

    ! DynNat to the internet:

    IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0

    ! Routing policy

    SDM_RMAP_1 allowed 10 route map
    corresponds to the IP 101
    match interface GigabitEthernet0

    ! ACL 101 for routing policy

    access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
    access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
    access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
    access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
    access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
    access-list 101 permit ip 192.168.3.0 0.0.0.255 any
    access-list 101 permit ip 192.168.4.0 0.0.0.255 any

    ! ACL on the external interface:

    plug-in software component gi0 extended IP access list
    allow an ip
    allow icmp a whole

    ! External interface

    interface GigabitEthernet0
    Description $ETH - WAN$
    IP 93.93.93.1 255.255.255.240
    IP access-group gi0-in in
    NAT outside IP
    IP virtual-reassembly in
    EXTENT of the Member's area network security
    IP tcp adjust-mss 1452
    automatic duplex
    automatic speed
    card crypto SDM_CMAP_2

    ! Inside DMZ interface vlan:

    interface Vlan4
    IP 192.168.4.254 255.255.255.0
    IP nat inside
    IP virtual-reassembly in
    security of the members of the DMZ
    IP tcp adjust-mss 1452

    ! Allow outbound traffic to DMZ to Internet:

    Allow_All_ACL-DMZ extended IP access list
    allow an esp
    permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
    refuse the 192.168.4.0 ip 0.0.0.255 192.168.111.0 0.0.0.255
    refuse the 192.168.4.0 ip 0.0.0.255 172.17.19.0 0.0.0.255
    allow icmp 192.168.4.0 0.0.0.255 any
    ip licensing 192.168.4.0 0.0.0.255 any

    ! Allow incoming traffic from the Internet to DMZ:

    WAN_DMZ_ACL extended IP access list
    allow tcp any a Workbench
    permit tcp any any eq ftp
    permit tcp any any eq 990
    permit tcp everything any 51000 53000 Beach
    permit tcp any any eq 995
    permit tcp any any eq 465
    permit tcp any any eq www
    permit any any eq 443 tcp
    allow icmp a whole
    allow an esp
    permit any any eq non500-isakmp udp
    host ip 212.98.162.139 permit 192.168.4.0 0.0.0.255
    IP 81.30.80.0 allow 0.0.0.255 any
    IP 192.168.111.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
    IP 172.17.19.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
    host ip 172.16.194.100 permit 192.168.4.0 0.0.0.255
    host ip 172.31.255.1 permit 192.168.4.0 0.0.0.255
    permit ip host 172.31.255.1 172.17.193.100
    refuse an entire ip

    ! Focus on the area of firewall:

    type of class-card inspect entire game DMZ_WAN_CLASS
    match the group-access name DMZ Allow_All_ACL

    type of class-card inspect entire game WAN_DMZ_CLASS
    match the name of group-access WAN_DMZ_ACL

    type of policy-card inspect DMZ_WAN_POLICY
    class type inspect DMZ_WAN_CLASS
    inspect
    class class by default
    drop

    type of policy-card inspect WAN_DMZ_POLICY
    class type inspect WAN_DMZ_CLASS
    inspect
    class class by default
    drop

    the DMZ security


    area WAN security

    Security WAN_DMZ of the pair area source destination WAN DMZ
    type of service-strategy inspect WAN_DMZ_POLICY
    destination of DMZ_WAN source DMZ area pair WAN security
    type of service-strategy inspect DMZ_WAN_POLICY

    Maybe someone can help me to make Cisco to allow ports outside LAN using a NAT?

    I did this on Mikrotik easily = |

    It is due to the fact that they do not allow "hair pinning" by default, once this is configured, it will work.

    Martin

  • Can not connect with the FTP using NAT server.

    Hey, people!

    One machine in the net 200.2.2.0, with ip 200.2.2.222 (ftp client) must connect

    with a server FTP, using the ip 201.1.1.222 nat, but who can not connect.

    A newspaper using, serial interface, I saw the server response to the connection request.

    Using a different disconnection, in fas0/1 of the interface, I don't see the response from the server, I can

    not to see if nat has been done.

    Why?

    What's wrong?

    What can I do?

    To put this machine in another NET, 201.1.1.0 is so hard!

    Look, a router interface has ip 201.1.1.1.

    !

    interface FastEthernet0/0

    IP 201.1.1.1 255.255.255.0

    No cdp enable

    !

    interface FastEthernet0/1

    IP 200.2.2.2 255.255.255.0

    IP nat inside

    No cdp enable

    !

    interface Serial0/0

    Description INTERNET

    IP 100.100.100.30 255.255.255.252

    NAT outside IP

    No cdp enable

    !

    IP nat inside source static 200.2.2.222 201.1.1.222

    no ip address of the http server

    !

    Thanks in advance,

    Renato

    Hello Renato.

    also, it shouldn't make a difference, because your access list allows any last statement, try and add the following line to your access list:

    access list 103 permit tcp a whole Workbench

    access list 103 permit tcp any newspaper host 201.1.1.222 eq ftp

    --> access list 103 permit tcp any what newspaper of host 201.1.1.222 eq ftp - data

    access list 103 permit tcp any newspaper host 200.2.2.222 eq ftp

    --> access list 103 permit tcp any what newspaper of host 200.2.2.222 eq ftp - data

    access list 103 permit tcp any any 0 65365 range journal

    access-list 103 allow udp everything any 0 65365 Beach

    access-list 103 permit icmp any any newspaper

    access-list 103 permit ip any any newspaper

    Also, try to remove the access list together and see if that makes a difference...

    Kind regards

    GP

  • Making the NAT for VPN through L2L tunnel clients

    Hi.I has the following situation in my network. We need for users who log on our site with the VPN clients to connect to another site via a tunnel L2L. The problem is that I need NAT addresses from the pool of VPN client in another beach before going on the L2L tunnel because on the other side, we have duplication of networks.

    I tried to do NAT with little success as follows:

    ACL for pool NAT of VPN:

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.0.0 255.255.255.0

    Extended list ip 192.168.253.0 access TEST allow 255.255.255.0 192.168.5.0 255.255.255.0

    NAT:

    Global 172.20.105.1 - 172.20.105.254 15 (outdoor)

    NAT (inside) 15 TEST access-list

    CRYPTO ACL:

    allowed ro access list extended LAN ip 255.255.0.0 192.168.0.0 255.255.255.0

    allowed ro access list extended LAN ip 255.255.0.0 192.168.5.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.0.0 255.255.255.0

    IP 172.20.105.0 RO allow extended access list 255.255.255.0 192.168.5.0 255.255.255.0

    permit same-security-traffic intra-interface

    Am I missing something here? Something like this is possible at all?

    Thanks in advance for any help.

    We use the ASA 5510 with software version 8.0 (3) 6.

    You need nat to the outside, not the inside.

    NAT (outside) 15 TEST access-list

  • Several statement list Access NAT (DMZ) 0

    Hello

    IM I have problems with remote VPN. The scenario is as follows:

    I have I have few clients who will connect remotely via VPN. Until today, one of them needed to enter my DMZ. But now I want a different profile (the cause is a new client) to access one of my server in the DMZ.

    So I said all of the VPN, the ACL settings, but when I want to declare the nat 2 access-list newclient (dmz) it does not work. But if I declare the nat 0 access-list newclient (dmz), it works, BUT it removes the previous 0 having my other client nat. Is there a way to create several access list statement 0 - nat (dmz)?. If this is not the case, how could I solve this problem?

    This is my config:

    vpnashi list extended access allowed host ip 192.168.16.28 192.168.125.0 255.255.255.0

    access extensive list ip 192.168.125.0 vpnashi allow 255.255.255.0 host 192.168.16.28

    vpnlati list extended access allowed host ip 192.168.16.50 192.168.125.0 255.255.255.0

    access extensive list ip 192.168.125.0 vpnlati allow 255.255.255.0 host 192.168.16.50

    IP local pool ippool 192.168.125.10 - 192.168.125.254
    Global 1 interface (outside)
    Global 2 200.32.97.254 (outside)
    NAT (outside) 1 192.168.125.0 255.255.255.0
    NAT (inside) 0-list of access vpnas
    NAT (inside) 2 access list ACL-NAT-LIM
    NAT (inside) 3 access-list vpnwip
    NAT (inside) 4 access-list vpnashi
    NAT (inside) 5-list of access vpnlati
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (wifi) 2 0.0.0.0 0.0.0.0
    NAT (dmz) 0-list of access vpnashi
    NAT (dmz) 1 192.168.16.0 255.255.255.0
    NAT (dmz) 2 access-list vpnlati
    internal group RA-ASHI strategy
    attributes of RA-ASHI-group policy
    Server DNS 172.16.1.100 value
    VPN-idle-timeout 30
    VPN-filter value vpnashi
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    Split-tunnel-policy tunnelspecified
    internal strategy of RA-LATI group
    attributes of RA-LATI-group policy
    Server DNS 172.16.1.100 value
    VPN-idle-timeout 30
    VPN-filter value vpnlati
    Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
    Split-tunnel-policy tunnelspecified
    tunnel-group RA-ASHI type remote access
    tunnel-group RA-ASHI-global attributes
    ippool address pool
    authentication-server-group (outside partnerauth)
    Group Policy - by default-RA-ASHI
    tunnel-group RA-ASHI ipsec-attributes
    pre-shared-key *.
    tunnel-group RA-LVL type remote access
    tunnel-group RA-LATI-global attributes
    ippool address pool
    authentication-server-group (outside partnerauth)
    Group Policy - by default-RA-LATI
    tunnel-group RA-LATI ipsec-attributes
    pre-shared-key *.

    André,

    You can have as a NAT exempt list of access by interface (nat rule 0).  I understand what you are trying to accomplish.  You use the vpnashi and vpnlati access list to control access to devices for different customers through VPN group policies.

    What I do is the following:

    Create an ACL for the VPN client (that you have, with vpnashi and vpnlati)
    Create an ACL for NAT exemption for the interface (inside sheep, sheep-dmz, etc.).

    Create the ACEs within the exempt ACL of NAT that corresponds to your VPN client access-list.

    It is allowed to have multiple statements within a NAT exempt list to access.  This will not have a client VPN access to things, it shouldn't.

    For example:

    access-list sheep-dmz allowed extended host ip 192.168.16.28 192.168.125.0 255.255.255.0

    192.168.125.0 IP Access-list extended dmz sheep 255.255.255.0 allow host 192.168.16.28

    NAT 0 access-list sheep-dmz (dmz)

Maybe you are looking for

  • How to clean air mac and new OS install

    A got a new mac air and migrated the content of the previous machine on... have since changed their minds and want to wipe the new mac and use the old as a Media Center Thanks in advance Phill

  • I can integrated Toshiba MK1237GSX HDD on my Satellite L40?

    HelloCan someone please advise me if this drive is suitable for installation in a L40?Kind regards... Terence.

  • Change of card wireless in the Satellite L630

    Hello I recently bought a Satellite L630, which has a Realtek 8172 (or possibly a 8191SE;) I can't say the PCI ID) wireless chipset.I installed a 64 bit version of Linux on it and there seems to be a total lack of support of the drivers for the wirel

  • Satellite A75-S2112 switch to adapter & battery not charging

    Hello I have seen that many people have this same problem, but there is not an answer to solve, so I decided to shift again. I have a computer laptop A75-S2112 and Im having this problem with the adapter and the battery. When I connect to the adapter

  • XP - cannot install KB982926

    I get error failure for the KB982926 of updates to Microsoft Silverlight code. When I try to install it, it says it is on a network and unavaiable resource. Can someone help me with this problem?