Nat for vpn – Cisco ASA 5505 User Manual
Page 568
29-14
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 29 Information About NAT
NAT for VPN
Figure 29-13
NAT Example: Transparent Mode
1.
When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the
packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15.
2.
When the server responds, it sends the response to the mapped address, 209.165.201.15, and the
ASA receives the packet because the upstream router includes this mapped network in a static route
directed to the ASA management IP address. See the
“Mapped Addresses and Routing” section on
for more information about required routes.
3.
The ASA then undoes the translation of the mapped address, 209.165.201.15, back to the real
address, 10.1.1.1.75. Because the real address is directly-connected, the ASA sends it directly to the
host.
4.
For host 192.168.1.2, the same process occurs, except for returning traffic, the ASA looks up the
route in its routing table and sends the packet to the downstream router at 10.1.1.3 based on the ASA
static route for 192.168.1.0/24. See the
“Transparent Mode Routing Requirements for Remote
Networks” section on page 29-24
for more information about required routes.
NAT for VPN
If you do not allow split-tunneling, then all VPN traffic, even traffic destined for the Internet, goes
through the VPN tunnel. VPN traffic, after being decrypted by the ASA, is essentially the same as any
other inside traffic: when an inside user needs to access the Internet, they need a public IP address
provided by NAT.
Management IP
10.1.1.1
www.example.com
10.1.1.2
Internet
Source Addr Translation
209.165.201.10
192.168.1.2
Source Addr Translation
209.165.201.15
10.1.1.75
ASA
10.1.1.75
10.1.1.3
192.168.1.1
192.168.1.2
Network 2
Static route on router:
209.165.201.0/27 to 10.1.1.1
Static route on ASA:
192.168.1.0/24 to 10.1.1.3
250261