NAT and Policy NAT on ASA

Unanswered Question
Jun 25th, 2007

Hi,

I have a query and was wondering if you could help us with a policy NAT issue we are having. I have come up with 2 solutions and both of them work to a certain degree but neither give 100% solution.

The background to what we want to achieve is as follows:

We have a site-site VPN between 2 companies terminating on the ASAs. Company A uses an internal LAN address of 172.20.0.x/24 and Company B runs on an internal LAN address of 10.50.1.x/24. We need Company A to present an address range of 192.168.1.x/24 when communicating accros the VPN with Company B. Obviously we want company A's PCs to still be able to access the Internet as normal etc. We can limit the number of PCs from company A to B also if needed.

I have come up with 2 solutions, one is using policy NAT for the VPN, and the other is using just Static NATs ( I will post the relevant config details below).

If I use Policy NAT, and NAT for example 3 of Company A's PCs to a NAT "Pool" of 3 addresses this works fine. However the only problem with this solution is that company B cannot easily communicate with the Company A PCs until a Company A PC makes a connection and forces a translation. At this point company B can ping the first of the translated addresses ok. So for example if Company A - PC 1 pings 10.50.1.50, the PC gets translated to 192.l68.1.200. Company B can now ping the address of 192.168.1.200 with no problems, however when more PCs are added to this situation it becomes very difficult to manage the return connections and know which PC is associated with which translated address. Also Company B cannot initialise a connection to Company A unless Company A has made an outbound Policy NAT translation.

But the PCs in Company A can surf the Internet etc as normal with no issues.

The Second solution uses 1 to 1 Static NAT Translations between Company A and Company B. This is a more elegant solution as you can always know what mappings are associated with each PC. Both Company A and Company B can initialize traffic to each other with this solution, however the downside to this is that the PCs of Company A that have static translations can no longer surf the Internet. (I know we can get around this by using a proxy server etc).

What we are wondering if there is some solution we are overlooking that will give us the best of both worlds i.e:

Company A being able to connect with Company B using the 1:1 type NATing.

Company B being able to communicate with Company A at any stage without translations needed first from Com A.

Company A's PCs still being able to access Internet etc without the use of Proxy Servers etc.

Please see configs below:

Solution 1

==========

object-group network NAT_GROUP

network-object 172.20.0.50 255.255.255.255

network-object 172.20.0.51 255.255.255.255

network-object 172.20.0.52 255.255.255.255

access-list NAT extended permit ip object-group NAT_GROUP 10.50.1.0 255.255.255.0

access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.50.1.0 255.255.255.0

global (outside) 2 192.168.1.200-192.168.1.202 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 2 access-list NAT

nat (inside) 1 0.0.0.0 0.0.0.0

Solution 2

==========

static (inside,outside) 192.168.1.200 172.20.0.50

static (inside,outside) 192.168.1.201 172.20.0.51

static (inside,outside) 192.168.1.202 172.20.0.52

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.50.1.0 255.255.255.0

Thanks,

Ian.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
James.Ren Mon, 06/25/2007 - 02:54

Dear Ian,

My suggestion might not be relevant to your question in terms of using NAT. I wonder in this case whether a policy NAT is really needed. If you could consider a HW client remote access VPN, let's say, Company B acts as the headquarter and Company A as the affiliate, then you can use network extension mode to enable internal lan connection through VPN. But I'm uncertain whether there are restrictions in hardware versions....

Another solution might be outside NAT after VPN terminates in ASA. See whether this can get through.

Regards,

James Ren

ianflgcsb Mon, 06/25/2007 - 03:07

Hi James,

Thanks for the reply.

Yes I suppose a HW client could help with the solution alright, we would just need to try keep the translations static. B needs to see a 192.168.1.x address due to the huge amount of routing already in place at B.

Outside NAT or NAT at Company B on the inbound may be possible too, but I guess I am just making sure that I havent overlooked anything on the ASA in Company A, or have we more or less reached the limits of what can be done from a NAT point of view on this ASA?

Thanks again,

Rgds,

Ian.

ipsoft Mon, 06/25/2007 - 12:30

Hi Ian,

I am also interested in this functionality.

Based on the Solutions you listed, let's take the first one and modify it a bit

Solution 1

==========

object-group network MY_OFFICE

network-object 172.20.0.0 255.255.255.0

object-group network REMOTE_OFFICE

network-object 10.50.1.0 255.255.255.0

access-list NAT extended permit ip object-group MY_OFFICE object-group REMOTE_OFFICE

access-list Ineternet_access extended deny ip object-group MY_OFFICE object-group REMOTE_OFFICE

access-list Ineternet_access extended permit ip object-group MY_OFFICE any

access-list VPN extended permit ip 192.168.1.0 255.255.255.0 object-group REMOTE_OFFICE

global (outside) 2 192.168.1.1-192.168.1.254 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 2 access-list NAT

nat (inside) 1 access-list Internet_access

James.Ren Mon, 06/25/2007 - 18:28

I agree with ipsoft to exculde the VPN traffic from the internet traffic but I think so far we are still unable to meet task 2. But that B accesses A without NAT in A seems beyond the logic of NAT?

JR

James.Ren Tue, 06/26/2007 - 03:57

I mean security appliance has to find a translation slot to transmit the packet.

ianflgcsb Tue, 06/26/2007 - 06:15

James,

The Static NAT solution gets around this problem, I was just wondering if there is a solution that can still provide internet access to these PCs then going to the Internet.

Policy NAT was meant to address all these strange NAT requirements.

Rgds,

Ian.

ianflgcsb Tue, 06/26/2007 - 06:12

Hi Guys thanks for your replies.

Yes this seemed like the perfect type of solution, sorry I didnt include the fact that I tried a similar solution and was sad to see that Policy NAT will NOT work with a "Deny" statement in the Access-List. Once we issue the access-list statement within the NAT command it initializes Policy NAT.

ipsoft, if we could use the above solution with the deny statement, this would still cut off the remote end from being able to communicate with the local end due to the dynamic translations going on. Its just very interesting to see if this solution can be achieved or not??

It seems bizare that this functionality cannot be used on a modern ASA??

Thanks,

Best Regards,

Ian.

Actions

This Discussion