Policy NAT on RA VPN?

Unanswered Question
Aug 21st, 2009
User Badges:

I have the following scenario; due to a 3rd party issue they have no route to my Remote Access VPN IP POOL and their default gateway doesn't hit my ASA.


I want to enable NAT so that my VPN IP POOL is hidden behind the inside interface of the firewall (as they can route to that). Below is a snippet of my config but it doesn't work.. any ideas?


(The Remote Access VPN works fine to the rest of the network, details have been changed to protect the innocent ;))


interface e0

ip addr 1.1.1.1 255.255.255.0

sec level 0

nameif outside


interface e1

ip addr 192.168.1.1 255.255.255.0

sec level 100

nameif inside


ip local pool VPN_POOL 192.168.10.1-192.168.19.100 mask 255.255.255.0


access-list NAT_VPN permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0


global inside 10 interface

nat (outside) 10 access-list NAT_VPN


I think the issue is that I'm implementing "NAT & Global" from a low sec-level to a high, but you can't do this command with "statics" 'cause it complains that the subnet mask in the ACL of the source isn't a host.


Thanks in Advance,

Nick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Thu, 08/27/2009 - 13:49
User Badges:
  • Silver, 250 points or more

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24.


Create an access-list for Policy NAT with real source and a destination IP address.


access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1

access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0


Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0


static (inside,outside) 172.16.5.0 access-list POLICYNAT

Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0


Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN

nickbettison Wed, 09/02/2009 - 05:34
User Badges:

Hi,


Thanks for your response, but I don't think that'll do what I've asked.


I want to hide behind the interface of the firewall, I'm sure that...


static (inside,outside) 172.16.5.0 access-list POLICYNAT


Means that if 10.10.1.12 is the source, then the source nat will be 172.16.5.12


...also I want to nat the other way round... outside,inside not inside,outside ;-)

Actions

This Discussion