cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
25
Helpful
8
Replies

Policy NAT question

wilson_1234_2
Level 3
Level 3

I have a question regarding policy NAT set up in our firewalls.

We current have numerous VPN tunnels set up with some being configured to some outside sources set up with a policy NAT similar to this:

crypto map pub 30 ipsec-isakmp

crypto map pub 30 match address policy

crypto map pub 30 set peer 6.1.8.7

crypto map pub 30 set transform-set 3dessha

static (inside,outside) 10.9.6.1 access-list policy_translation 0 0

access-list policy_translation permit ip host 10.1.15.1 host 10.7.15.3

access-list policy permit ip 10.9.6.0 255.255.255.248 host 10.7.15.3

My question is, is this usually set up this way for added security?

It looks as though the tunnels configured this was are mostly for connections from outside networks.

Why go through this process ?

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Richard

The main reason for policy NAT is to control when an IP address gets Natted to another IP address ie. from your example above

static (inside,outside) 10.9.6.1 access-list policy_translation 0 0

access-list policy_translation permit ip host 10.1.15.1 host 10.7.15.3

So basically when 10.1.15.1 sends traffic to 10.7.15.3 then it gets Natted to 10.9.6.1

You could just used

static (inside,outside) 10.9.6.1 10.1.15.1

but what if another remote site is using 10.9.6.x as a network already. So you want to NAT 10.1.15.1 to 10.9.7.1 if it goes to that remote site.

This is the key use of policy NAT ie. it allows an IP address to be Natted to multiple different IP addresses.

Hope this makes sense

Jon

Thanks for the reply jon,

That makes sense, but what if we have no other remote site using the 10.9.6.x subnet (we don't).

What would be the reason for using it?

Richard

The other main reason i can think of is that 10.1.15.1 may need Internet access and if it does then it will need to be Natted to a public IP address as it goes through the firewall.

And perhaps when the VPN was setup the 10.9.6.x address was agreed on. It is quite difficult to second guess why something is like it is and perhaps the previous admin just liked policy NAT :-).

Jon

Richard,

In addition to what Jon said one other possibility is that if you have VPN connection(s) to external vendors and they expect traffic to be sourced from 10.9.6.1 when you access their network then using this policy NAT would make sense as well. Could that be the case since you stated in your original post that you have VPN from outside sources.

HTH

Sundar

Thanks guys,

Can you walk me through exactly what is happening here:

static (inside,outside) 10.9.6.1 access-list policy_translation 0 0

access-list policy_translation permit ip host 10.1.15.1 host 10.7.15.3

Here it is shown a little differently, an it kind of makes a little more sense this way.

static (inside,outside) 10.9.6.1 (permit ip host 10.1.15.1 host 10.7.15.3) 0 0

I mean, I could accomplish the same thing via a VPN tunnel without NATing to 10.9.6.1 correct?

Single host to single host, excep it would be 10.1.15.1 correct?

There is no additional benefit except I control what the remote site has as the allowed address?

"static (inside,outside) 10.9.6.1 access-list policy_translation 0 0

access-list policy_translation permit ip host 10.1.15.1 host 10.7.15.3"

When the host 10.1.15.1 sends data to 10.7.15.3 then before the data is encrypted and sent down the tunnel the source IP address is change to be 10.9.6.1.

It also means that the remote IP 10.7.15.3 can send data to 10.9.6.1 and after being decrypted the destination IP address will be changed to 10.1.15.1.

You could setup the VPN tunnel without the NAT and yes it would work but you would need to make sure the other end of the VPN now connects back to 10.1.15.1.

If you don't need policy NAT because of the reasons given in previous posts then no, there really is no addtional benefit.

Jon

Jon,

Would you say the most likely reason for me to do policy NAT on my end (if I can find no other reason)is that the remote side had a problem with my source addresses and needed us to NAT them?

Also, what about if I have a problem with a remote IP Address as in already have that subnet, can I do anything on my end like policy NAT the destination IP Address?

Richard

We have used policy NAT for that very reason ie. the remote site needed our source IP addresses Natted but they could not accept what we were already Natting them to so we had to use a different address.

The second part of your question :- it depends

1) If the address is already in use for a different VPN then you would need the NAT to happen at the remote end because your firewall would not be able to ditinguish between the same source IP address coming from 2 different sites.

2) If the address is already in use on your local LAN you don't need policy NAT because your Natting the source IP addresses so you could do the following

nat (outside) 1 192.168.5.0 255.255.255.0 outside

global (inside) 1 172.16.5.1

In the above example the remote site is using 192.168.5.0/24 as their source IP's. You are already using these so you NAT the source IP's to 172.16.5.1 as they come into your firewall.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: