RemoteSite (172.16.1.*)
|
Internet --- InternetUsers
|
ASA --- LocalUsers (192.168.1.*)
|
InsideNet (10.1.1.*)
|
Router
|
DeeperNet (10.22.22.*)
I have a Cisco ASA 5510 with three interfaces, inside/outside/localusers.
On the inside there are two subnets, InsideNet and DeeperNet, connected by a simple router. The ASA's routing table has an entry for DeeperNet.
The remote sites connects via a lan-to-lan VPN on the outside interface. (This VPN includes InsideNet and DeeperNet, so a user from RemoteSite can contact servers on DeeperNet)
All Traffic to a web server on InsideNet (10.1.1.1) needs to be redirected to a web server on Deepernet (10.22.22.22) For localusers this is easily done with a static NAT rule:
static (inside,localusers) 10.1.1.1 10.22.22.22 netmask 255.255.255.255
Any traffic from internet users comes to the public IP of the ASA, and is also easy to handled with a static NAT rule.
static (inside,outside) 203.203.203.203 10.22.22.22 netmask 255.255.255.255
Where I'm having problems is with the VPN users. I'm not sure exactly how the VPN functionality interacts with NAT, and what order NAT & VPN get applied to an ASA.
How do I configure a static NAT rule so any RemoteUsers sending data to 10.1.1.1 over the VPN have it redirected to 10.22.22.22?
Does this NAT take effect before or after VPN traffic selection? (that is, if the VPN was configured as RemoteSite<-> InsideNet only would traffic to 10.1.1.1 come through and be NATTed to the DeeperNet IP, or would the ASA look at the real IPs and decide it's not part of the VPN?)
