Solved: Help with NAT

John Blakley · ‎05-19-2009

All,

I'm configuring something in my lab that I'll be using in production, but I'm running into a problem.

I need to nat traffic only through a tunnel, but not nat it outside of the tunnel. The problem that I've run into is this:

ip nat source static network 192.168.1.0 10.15.25.0 /24 no-alias

The above nats all traffic sourced from 192.168.1.0 to 10.15.25.0, but I only want the traffic natted when it's going to our network to this ip.

I've tried to set an acl up like:

access-list ext VPNNAT

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip nat inside source list VPNNAT pool VPN

ip nat pool VPN 10.15.25.1 10.15.25.254 prefix-length 24

This doesn't translate anything though. I know I'm missing something.

Thanks,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎05-19-2009

John

I am not clear what you topology is and not very clear on exactly what you are trying to accomplish. But it seems to me that if you want to translate traffic only when it goes through a tunnel that the solution is to set up the translation with a route map and in the route map you can match on the outbound interface as well as matching on the addresses. Taking your second option as a model it might look something like this:

ip nat inside source route-map tun_nat pool VPN

route-map tun_nat permit 10

match ip address VPNNAT

match interface tunnel0

That should work if the source address is 192.168.1.0, the destination address is 192.168.2.0, and it is going through interface tunnel 0. Give it a try and let us know how it works.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎05-19-2009

John

I am not clear what you topology is and not very clear on exactly what you are trying to accomplish. But it seems to me that if you want to translate traffic only when it goes through a tunnel that the solution is to set up the translation with a route map and in the route map you can match on the outbound interface as well as matching on the addresses. Taking your second option as a model it might look something like this:

ip nat inside source route-map tun_nat pool VPN

route-map tun_nat permit 10

match ip address VPNNAT

match interface tunnel0

That should work if the source address is 192.168.1.0, the destination address is 192.168.2.0, and it is going through interface tunnel 0. Give it a try and let us know how it works.

HTH

Rick

HTH

Rick

John Blakley · ‎05-19-2009

Rick,

I was working earlier with Jon on this on another forum, so this is a continuation of that conversation. I'm not going to be using gre tunnels (unless the ASA supports them). I'm using a 2600 that will be connecting to my ASA 5520. I tried the route map and that doesn't work. It doesn't even try to bring the tunnels up.

I can get it to work if I block off the whole internal subnet, but then it seems to nat traffic out as the new subnet which isn't what I want or need. In all of the documentation I've read, it doesn't seem there's a way to only allow nat per destination, but if that were the case, what would happen if I needed to nat traffic for two different sites to two different subnets?

What I've got is the following:

I want 192.168.1.0 to nat out as it's normal serial interface when browsing the web. This router has another tunnel terminating to another location and is using it's 192.168.1.0 subnet.

I want 192.168.1.0 to nat to 10.15.25.0 when it tries to pass traffic to my subnet of 10.125.0.0/16, but I don't want it to nat as that all of the time. I've been successful in getting it to work "all of the time."

Thanks!

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎05-19-2009

John

I am still not clear about parts of what you are doing. Is the translation on the ASA or on the 2600?

And I am still puzzling through it trying to figure out what you mean when you say:"I want 192.168.1.0 to nat to 10.15.25.0 when it tries to pass traffic to my subnet of 10.125.0.0/16, but I don't want it to nat as that all of the time."

Until I am more clear on the topology and the requirements I will be very little help.

HTH

Rick

HTH

Rick

John Blakley · ‎05-19-2009

Rick,

The route map DOES work. Here's what I did:

ip nat pool VPN 10.15.25.1 10.15.25.254 prefix-length 24

ip nat inside source route-map VPN pool VPN

access-list 192 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map VPN permit 5

match ip address 192

My interesting traffic acl references the natted address:

permit ip 10.15.25.0 0.0.0.255 192.168.2.0

Tunnels are up, and I'm showing encrypted/decrypted packets. I also made a loopback on the other end, and I was able to ping it without a translation on this side, which proves to me that I'm only translating for the correct source and destination network.

Thanks,

John

HTH, John *** Please rate all useful posts ***

Richard Burts · ‎05-19-2009

John

I am glad that you got it to work and that the route map suggestion was helpful.

HTH

Rick

HTH

Rick