Help with Setting up NAT correctly.

Thanks Wayne. I will take a look at this and compare to what I have and make some adjustments.

I think part of my problem is that I am doing a lot of it through the GUI and should be learning the actual commands instead. I also need to get a better grasp on some of the terms and technologies too.

Thanks for the great info and help. I am sure I will be back!

I just printed everything out to compare and go through some of the books that I have so that I can get a solid understanding of everything.

I assume that the lines at the top, for example, this one would be referencing the subnet in Remote Office A.

[code:1]
access-list NoNAT extended permit ip Lancaster-Net 255.255.255.0 192.168.116.0 255.255.255.0
[/code:1]

So on the Router (Cisco 871) that is in that office, I would need something like:

[code:1]
access-list NoNat extended permit ip 192.168.116.0 255.255.255.0 Lancaster-Net 255.255.255.0
[/code:1]

So that traffic originating out of that office going to our main HQ would then not be NAT'd.

So much to learn and do.....

Hi,

Yes, you would do the NoNAT at both ends.

This would be the general way in which its done. You can however perform NATting over the tunnels but this is generally only used during acquasitions (i.e. Company A buys Company B and they want to link their networks. Company A is using 10.10.10.0/24 on their LAN and Company B is using 10.10.0.0/16 on their LAN. You get an overlapping address space, so you route between these remote LANs, you would need to NAT at both ends of the tunnel endpoints).

Wouldn't get too bogged down with NATting over the VPN though, i have only come across this a few times.

Thanks. Think I got it, started an early morning here in the office and added the few lines that you suggested and I believe I am getting there! The "No Translation group errors...." are gone now and I see some traffic from my laptop to the different DCs and such.

I assume now that the next step is to write Security Policy rules that allow me to do things, as I tried to Remote Desktop to one of our Terminal Servers and it didn't like it. I didn't see any deny or dropped traffic in the syslog, but I don't think all the internal traffic is logged by default.

I think in my case as Net Admin that it will be a simple rule of allowing my 192.168.5.x IP to any of the Agency network Objects (192.168.16.x for example) allowing IP.

The actual remote users will have specifics, that I will have to add to lock down the traffic to specific servers, shares, etc.

I want to Thank Wayne and the others that have so far helped me along on the start of my Cisco journey!

I was able tonight to get connected, and actually work on a test server on our network through the Cisco equipment! I finally figured out what I was doing wrong.

The servers and such on the network currently have the Gateway of our existing Watchguard FW or a Dlink Router that was also used. So my connection to the ASA5505 was fine and with the help that Wayne gave me, I was able to I think get a little better grasp on what I am doing.

I took a test server tonight that is in my office and remotely changed the gateway to the ASA and Poof it was like Magic, Remote Desktop connected, VNC worked. It was nice.

I did notice that DNS isn't working and for some reason at first was thinking again, darn something else is wrong, no stupid, same problem. I will be setting up DNS on the test server to use for this testing phase. It also looks like I can just change our Servers and it won't hurt anything as I can still get to the test server from my desktop in the office!

So things are definately moving Full-Speed ahead! A sincere Thanks. I am sure I will have more questions, and hope that I will be able to help someone else down the road!

Tim

Glad stuff is working

For testing purposes, you dont need to change the Default Gateway's on your servers, if you are only interested in going down the VPN's. What you can do is add the routes to the remote subnets on your WatchGuard Firebox to point to the ASA for the next hop, this will redirect all the VPN traffic to your ASA.

Just wondering why you are moving away from the WatchGaurd (being a WatchGuard trainer) ?