Policy NAT on RA VPN?

Unanswered Question
Aug 21st, 2009

I have the following scenario; due to a 3rd party issue they have no route to my Remote Access VPN IP POOL and their default gateway doesn't hit my ASA.

I want to enable NAT so that my VPN IP POOL is hidden behind the inside interface of the firewall (as they can route to that). Below is a snippet of my config but it doesn't work.. any ideas?

(The Remote Access VPN works fine to the rest of the network, details have been changed to protect the innocent ;))

interface e0

ip addr 1.1.1.1 255.255.255.0

sec level 0

nameif outside

interface e1

ip addr 192.168.1.1 255.255.255.0

sec level 100

nameif inside

ip local pool VPN_POOL 192.168.10.1-192.168.19.100 mask 255.255.255.0

access-list NAT_VPN permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0

global inside 10 interface

nat (outside) 10 access-list NAT_VPN

I think the issue is that I'm implementing "NAT & Global" from a low sec-level to a high, but you can't do this command with "statics" 'cause it complains that the subnet mask in the ACL of the source isn't a host.

Thanks in Advance,

Nick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mchin345 Thu, 08/27/2009 - 13:49

In order to configure Policy NAT for VPN traffic, for example, to change the source address, refer to this configuration example. In this example, the internel network is 10.10.1.0/24.

Create an access-list for Policy NAT with real source and a destination IP address.

access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 host 172.16.1.1

access-list POLICYNAT extended permit ip 10.10.1.0 255.255.255.0 1.1.1.0 255.255.255.0

Create a static command that states that when source is 10.10.1.0 and destination is 172.16.1.1 or 1.1.1.0, change it to 172.16.5.0

static (inside,outside) 172.16.5.0 access-list POLICYNAT

Create a crypto access-list with the source as the new IP address defined in Policy NAT, for example, 172.16.5.0.

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 host 172.16.1.1

access-list VPN extended permit ip 172.16.5.0 255.255.255.0 1.1.1.0 255.255.255.0

Apply the crypto access-list to crypto map.

crypto map VPN 10 match address VPN

nickbettison Wed, 09/02/2009 - 05:34

Hi,

Thanks for your response, but I don't think that'll do what I've asked.

I want to hide behind the interface of the firewall, I'm sure that...

static (inside,outside) 172.16.5.0 access-list POLICYNAT

Means that if 10.10.1.12 is the source, then the source nat will be 172.16.5.12

...also I want to nat the other way round... outside,inside not inside,outside ;-)

Actions

This Discussion