Cisco Systems ASA 5580 Manual De Usuario
3-23
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Information About NAT
NAT for VPN
NAT and Remote Access VPN
shows both an inside server (10.1.1.6) and a VPN client (209.165.201.10) accessing the
Internet. Unless you configure split tunnelling for the VPN client (where only specified traffic goes
through the VPN tunnel), then Internet-bound VPN traffic must also go through the ASA. When the VPN
traffic enters the ASA, the ASA decrypts the packet; the resulting packet includes the VPN client local
address (10.3.3.10) as the source. For both inside and VPN client local networks, you need a public IP
address provided by NAT to access the Internet. The below example uses interface PAT rules. To allow
the VPN traffic to exit the same interface it entered, you also need to enable intra-interface
communication (AKA “hairpin” networking).
through the VPN tunnel), then Internet-bound VPN traffic must also go through the ASA. When the VPN
traffic enters the ASA, the ASA decrypts the packet; the resulting packet includes the VPN client local
address (10.3.3.10) as the source. For both inside and VPN client local networks, you need a public IP
address provided by NAT to access the Internet. The below example uses interface PAT rules. To allow
the VPN traffic to exit the same interface it entered, you also need to enable intra-interface
communication (AKA “hairpin” networking).
Figure 3-17
Interface PAT for Internet-Bound VPN Traffic (Intra-Interface)
shows a VPN client that wants to access an inside mail server. Because the ASA expects
traffic between the inside network and any outside network to match the interface PAT rule you set up
for Internet access, traffic from the VPN client (10.3.3.10) to the SMTP server (10.1.1.6) will be dropped
due to a reverse path failure: traffic from 10.3.3.10 to 10.1.1.6 does not match a NAT rule, but returning
traffic from 10.1.1.6 to 10.3.3.10 should match the interface PAT rule for outgoing traffic. Because
forward and reverse flows do not match, the ASA drops the packet when it is received. To avoid this
failure, you need to exempt the inside-to-VPN client traffic from the interface PAT rule by using an
identity NAT rule between those networks. Identity NAT simply translates an address to the same
address.
for Internet access, traffic from the VPN client (10.3.3.10) to the SMTP server (10.1.1.6) will be dropped
due to a reverse path failure: traffic from 10.3.3.10 to 10.1.1.6 does not match a NAT rule, but returning
traffic from 10.1.1.6 to 10.3.3.10 should match the interface PAT rule for outgoing traffic. Because
forward and reverse flows do not match, the ASA drops the packet when it is received. To avoid this
failure, you need to exempt the inside-to-VPN client traffic from the interface PAT rule by using an
identity NAT rule between those networks. Identity NAT simply translates an address to the same
address.
VPN Client
209.165.201.10
Internet
Src: 209.165.201.10
10.3.3.10
203.0.113.1:6070
10.3.3.10
10.1.1.6
www.example.com
Inside
209.165.201.10
1. HTTP request to www.example.com
4. HTTP request to
www.example.com
www.example.com
C. HTTP request to www.example.com
2. ASA decrypts packet; src address is
now local address
now local address
Src: 203.0.113.1:6070
ASA Outside IP: 203.0.113.1
10.1.1.6
203.0.113.1:6075
Src: 10.1.1.6
A. HTTP to
www.example.com
www.example.com
B. ASA performs interface PAT for
outgoing traffic.
outgoing traffic.
Src: 203.0.113.1:6075
3. ASA performs interface PAT for outgoing traffic.
Intra-interface config req’d.
Intra-interface config req’d.
303462