NAT in Lan-2-Lan VPN tunnel in ASA

Unanswered Question
Jan 30th, 2010
User Badges:

Hi, I have ASA 5400 on two end US and INDIA. I am handling US ASA having internal range 10.32.130.0/24,10.32.129.0/24,10.30.100.0/24 & outside IP is 200.200.200.2. INDIA ASA internal range is 172.16.0.0/16 and Outside Ip 102.102.102.2. I have to make site-2-site VPN tunnel between both ASA.


Due to some reason, I have to hide my US inside range 10.0.0.0/8 & has to publish 192.168.1.0/24. How it can be possible, I am pasting current configuaration of US ASA, Please help which modification I have to made.




crypto map outside_map 1 match address outside_access_in
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 102.102.102.2
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set nat-t-disable


nat (inside) 0 access-list inside_nat0_outbound


access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound


route outside 0.0.0.0 0.0.0.0 200.200.200.1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Sat, 01/30/2010 - 01:02
User Badges:
  • Gold, 750 points or more

Hi Rupesh,


The Access-list ( access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0) is used to permit the Interresting traffic through IPsec tunnel.


If you want to hide 10.0.0.0/8 prefix, then you should remove this entry from the access-list and allow the subnets you want to reach the 172.16.0.0.255.255.0.0).



HTH

Mohamed

Rupesh Kashyap Sat, 01/30/2010 - 01:12
User Badges:

Hi Sobair,

I am not getting you. Can you guide my by making changes which I have pasted. Please.

Mohamed Sobair Sat, 01/30/2010 - 01:26
User Badges:
  • Gold, 750 points or more

Hi,


could you please point out to the interresting traffic. which subnets you want to allow through the IPsec tunnel to pass?


I stated to add the following into your configuration:


access-list inside_nat0_outbound extended  deny ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0  172.16.0.0 255.255.0.0


In the above example, traffic from  10.0 subnet is denied and  only  allowed 192.168 subnet to pass through the IPsec tunnel.



HTH

Mohamed

Rupesh Kashyap Sat, 01/30/2010 - 01:39
User Badges:

Ok, Now I have two questions as earlier I had disabled NAT--


1. How internal subnet 10.0.0.0/8 will converted into 192.168.1.0/24 subnet before leaving US ASA ?

2. If India clients wants to access one server IP-10.10.10.5/24, then which IP they will browse ?

Mohamed Sobair Sat, 01/30/2010 - 01:52
User Badges:
  • Gold, 750 points or more

HI,



Ok, Now I have two questions as earlier I had disabled NAT--


1. How internal subnet 10.0.0.0/8 will converted into 192.168.1.0/24 subnet before leaving US ASA ?

2. If India clients wants to access one server IP-10.10.10.5/24, then which IP they will browse ?


--------------------------------------------------------------------------------------------------------------------------------------------------


1- Its not converted , I just gave you an example of 192.168 subnet.


2- They will browse the 10.10.10.5 IP, but US ASA wont allow the traffic back as its denied on the access-list.



So the Conclusion as follows:


You either deny it on the access-list of the interresting traffci. Or you remove it from the Access-list completely


as follows:


no  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0


                                                         OR


access-list inside_nat0_outbound extended deny ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0




HTH

Mohamed

Rupesh Kashyap Sat, 01/30/2010 - 02:02
User Badges:

You are not getting my point.


I have to hide 10.0.0.0/8 subnet. I target is India end should only know 192.168.1.0/24 subnet.


So how 10.0.0.0/8 will converted into 192.168.1.0/24 on US end before entering in tunnel ( Att- we have 200.200.200.2 Outside IP)?


Please clarify.

Mohamed Sobair Sat, 01/30/2010 - 02:26
User Badges:
  • Gold, 750 points or more

Hi Rupesh,


No covertion will occur at all.


The rule of NAT Exemption is to permit the interresting traffic through the tunnel, Nat excemption has always precedence over normal nat.


So traffic from the 10.0 subnet wont be converted at all, but it can be denied (NOT Permited through the IPsec tunnel).


If you want to permit only 192.168.1.0/24 subnet to access 172.16 and deny 10.0 subnet, your config should look like bellow:


no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0


access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0  172.16.0.0 255.255.0.0




HTH

Mohamed

Rupesh Kashyap Sat, 01/30/2010 - 02:36
User Badges:

As per your line"  If you want to permit only 192.168.1.0/24 subnet to access 172.16 and deny 10.0 subnet"


The problem is, we do not have 192.168.1.0/24 subnet. I just want to use to hide 10.0.0.0 subnet. So please suggest.


Beside this, Remote end India ASA will permit 192.268.1.0 or 10.0.0.0 ?

Actions

This Discussion