Policy NAT question

Answered Question
Oct 8th, 2008
User Badges:

I have a policy NAT configured from our compnay to another company an it is working fine.


My device is 10.1.150.1

NATed to 10.9.0.3


Their device is 10.1.15.3


Everything works fine through the VPN tunnel when configured this way:



access-list NO_NAT line 2 extended deny ip host 10.1.150.1 host 10.1.15.3


static (inside,outside) 10.9.0.3 access-list yourcompanytranslation3


access-list yourcompanytranslation3 line 1 remark Next line is for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3


crypto map mycompany 30 match address yourcompany

crypto map mycompany 30 set peer 12.1.7.160

crypto map mycompany 30 set transform-set 3dessha

crypto map mycompany 30 set security-association lifetime seconds 3600


access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3



The remote end has some appications that my end will be using in the future to additional addresses. I would like to filter the traffic to make sure we are only allowing outbound traffic that is needed.


My question is


Do I filter the traffic on the traffic on the translation access-list:


access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3 eq 5202

access-list yourcompanytranslation3 line 3 permit ip host 10.1.150.1 host 10.1.10.223 range 3464 3467



Or do I filter it on the access-list applied to the crypto map:


access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3 eq 5202

access-list yourcompany line 2 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.10.223 range 3464 3467







Correct Answer by Farrukh Haroon about 8 years 8 months ago

First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.


Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.


Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Farrukh Haroon Thu, 10/09/2008 - 00:28
User Badges:
  • Red, 2250 points or more

First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.


Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.


Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).


Regards


Farrukh

wilson_1234_2 Thu, 10/09/2008 - 04:28
User Badges:

Thanks for the reply,


I had copied an pasted the acl, then added the port and didnt notice the IP vs TCP.


The ASA wouldn't have let me put it in that way either.


Thanks for pointing that out.


I suspected I should be specific on the NAT ACL.


I appeciate you confirming, thanks.

wilson_1234_2 Thu, 10/16/2008 - 05:58
User Badges:

I have a follow up question on this,


If the remote end needs to also access my host (two way)do I need to modify the trnslation access-list for two way traffic?


For example:


access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit tcp host 10.1.150.1 host 10.1.10.223 range 3464 3467

access-list yourcompanytranslation3 line 3 permit tcp host 10.1.10.223 host 10.1.150.1 range 3464 3467

access-list yourcompanytranslation3 line 4 permit tcp host 10.1.150.1 host 10.1.15.3 eq 5202

access-list yourcompanytranslation3 line 5 permit tcp host 10.1.15.3 host 10.1.150.1 eq 5202




Farrukh Haroon Sat, 10/18/2008 - 03:38
User Badges:
  • Red, 2250 points or more

No Wilsos, the static command is bi directional. So is the nat 0 ACL (nat exemption).


Regards


Farrukh

Actions

This Discussion