NAT Translation to Addess on Inside of Firewall

Unanswered Question
Nov 7th, 2008

Greetings we have recently deployed an MPLS network for one of our customers, all internet traffic is routed out via a firewall managed by ourselves at the HQ location.

All remote sites have mpls addresses assigned in the 172.18.255.0/30 range, all internal lan facing subnets have allocations in the 10.130.0.0 /16 range.

At present if i form a remote access ipsec vpn connection with the firewall i can gain access to each router on its lan facing interface but cant get access to its mpls facing interface on the 172.18.255.0/30 range. This still applies if i add the 172.18.255.0/30 network to the split tunnel acl. I can ping devices on the 172.18.255.0/30 network from the firewall.

For remote access vpn connections is it possible to put NAT statements on the firewall on an inbound direction to say translate the outside address of the remote site from 172.18.255.x to 10.130.x.x?

Any help would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 11/13/2008 - 09:19

I'm not sure i fully understand your topology but if you want to translate incoming source IP addresses on a firewall

static (outside,inside) 10.130.10.1 172.18.255.1

would NAT 172.18.255.1 coming in through the outside interface to 10.130.10.1

Jon

exonetinf1nity Fri, 11/28/2008 - 07:39

Cheers for the replies guys i have attacthed a quick example of the current setup.

Each remote site has two subnets sitting behind the LAN interface of the router in the 10.70.0.0 and 10.171.0.0 ranges.

The MPLS facing interface has addresses out of the 172.18.255.0 address space.

The firewall at the HQ has an inside address of 10.171.40.1 as part of the HQ 10.171.40.0 /24 subnet.

Now when i connect to the firewall via remote access vpn i can connect to every site that has an address in the 10.171.0.0 address space but cant connect to any address in either the 172.18.255.0 or 10.170.0.0 range.

The response from the firewall indicates that there is now translation group

No translation group found for icmp src outside:10.171.40.240 dst inside:10.170.40.1 (type 8, code 0)

I do have a split tunnel list that covers both the 172.18.255.0 and 10.170.0.0 networks but i still receive the above response, hence my question to whether it would be possible to drop either a dynamic or static NAT rule that would match traffic comming in from a remote access vpn connection allowing me to get to both the 172.18.255.0 and 10.170.0.0 networks respectiively.

Regards

tahequivoice Tue, 11/18/2008 - 06:33

Sounds like a routing/ACL issue. Can you ping the remote lans from the ASA? If you can, then you should also be able to access them from the VPN pool IP's, if not, check the ACL for the split tunnel to make sure the LAN addresses are listed and that the LAN segments can get back to the IP range of the pool. You shouldn't need to translate unless you have overlapping addresses on the MPLS.

Actions

This Discussion