Cisco ASA/PIX RAS VPN Question

[Kanute]

Hello,

I've been digging through the Cisco documentation for awhile but haven't found an answer. I have a set of ASA5510's acting as VPN concentrators. My internal subnet is 192.168.0.0/24. However, I want to be able to assign RAS users IP addresses via an address pool in another subnet such as 192.168.199.0/24, in order to avoid IP conflicts as 192.168.0.0/24 is such a common home internal LAN subnet. Is there a way to do this? Such as configuring NAT on the RAS VPN?

Thanks,

Steven

 

[vmaxwell]

Hi Steven

You need to configure a vpn group for the remote users, the vpn group has to reference a local pool of address and config NAT 0 on the group to. If you want the remote users to have internet broweding access whilst connect into the vpn you need to enable split tunneling.

Below is a sample of what you need, just edit the IP and vpn group names (assuming the ipsec you have is already setup):


access-list 110 remark ACL for NAT 0
access-list 110 permit ip inside-network 255.255.255.0 192.168.199.0 255.255.255.0
access-list 110 permit ip inside-network 255.255.255.0 192.168.199.0 255.255.255.0


access-list 111 remark ACL for SPLIT-TUNNEL
access-list 111 permit ip inside-network 255.255.255.0 192.168.199.0 255.255.255.0
access-list 111 permit ip inside-network 255.255.255.0 192.168.199.0 255.255.255.0

ip local pool TESTVPNremote 192.168.199.1-192.168.199.254

nat (inside) 0 access-list 110

access-group 100 in interface outside

vpngroup pix address-pool TESTVPNremote
vpngroup pix dns-server dns-server
vpngroup pix wins-server wins-server
vpngroup pix default-domain cisco.com
vpngroup pix split-tunnel 111
vpngroup pix idle-time 1800
vpngroup pix password ##########