Solved: Policy NAT question

wilson_1234_2 · ‎10-08-2008

I have a policy NAT configured from our compnay to another company an it is working fine.

My device is 10.1.150.1

NATed to 10.9.0.3

Their device is 10.1.15.3

Everything works fine through the VPN tunnel when configured this way:

access-list NO_NAT line 2 extended deny ip host 10.1.150.1 host 10.1.15.3

static (inside,outside) 10.9.0.3 access-list yourcompanytranslation3

access-list yourcompanytranslation3 line 1 remark Next line is for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3

crypto map mycompany 30 match address yourcompany

crypto map mycompany 30 set peer 12.1.7.160

crypto map mycompany 30 set transform-set 3dessha

crypto map mycompany 30 set security-association lifetime seconds 3600

access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3

The remote end has some appications that my end will be using in the future to additional addresses. I would like to filter the traffic to make sure we are only allowing outbound traffic that is needed.

My question is

Do I filter the traffic on the traffic on the translation access-list:

access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit ip host 10.1.150.1 host 10.1.15.3 eq 5202

access-list yourcompanytranslation3 line 3 permit ip host 10.1.150.1 host 10.1.10.223 range 3464 3467

Or do I filter it on the access-list applied to the crypto map:

access-list yourcompany line 1 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.15.3 eq 5202

access-list yourcompany line 2 extended permit ip 10.9.0.0 255.255.255.248 host 10.1.10.223 range 3464 3467

Farrukh Haroon · ‎10-09-2008

First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.

Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.

Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).

Regards

Farrukh

View solution in original post

Farrukh Haroon · ‎10-09-2008

First of all you cannot specify ports with 'permit ip' access lists. You need to use 'permit tcp/udp' ACLs.

Just be specific with the NAT ACL, this way all required traffic will be NATed to the 10.9.x.x address. The traffic will hit the crypto 'permit IP' ACL only when it is NATed, so there is no need to change the crypto ACL.

Any traffic that does not hit the NAT ACL (as in does not get NATed), will never hit the crypto ACL anyway (because its source will not be 10.9.x.x).

Regards

Farrukh

wilson_1234_2 · ‎10-09-2008

Thanks for the reply,

I had copied an pasted the acl, then added the port and didnt notice the IP vs TCP.

The ASA wouldn't have let me put it in that way either.

Thanks for pointing that out.

I suspected I should be specific on the NAT ACL.

I appeciate you confirming, thanks.

wilson_1234_2 · ‎10-16-2008

I have a follow up question on this,

If the remote end needs to also access my host (two way)do I need to modify the trnslation access-list for two way traffic?

For example:

access-list yourcompanytranslation3 line 1 remark Next line are for yourcompany ATM Policy NAT

access-list yourcompanytranslation3 line 2 permit tcp host 10.1.150.1 host 10.1.10.223 range 3464 3467

access-list yourcompanytranslation3 line 3 permit tcp host 10.1.10.223 host 10.1.150.1 range 3464 3467

access-list yourcompanytranslation3 line 4 permit tcp host 10.1.150.1 host 10.1.15.3 eq 5202

access-list yourcompanytranslation3 line 5 permit tcp host 10.1.15.3 host 10.1.150.1 eq 5202

Farrukh Haroon · ‎10-18-2008

No Wilsos, the static command is bi directional. So is the nat 0 ACL (nat exemption).

Regards

Farrukh