cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
0
Helpful
9
Replies

NAT in Lan-2-Lan VPN tunnel in ASA

Rupesh Kashyap
Level 1
Level 1

Hi, I have ASA 5400 on two end US and INDIA. I am handling US ASA having internal range 10.32.130.0/24,10.32.129.0/24,10.30.100.0/24 & outside IP is 200.200.200.2. INDIA ASA internal range is 172.16.0.0/16 and Outside Ip 102.102.102.2. I have to make site-2-site VPN tunnel between both ASA.

Due to some reason, I have to hide my US inside range 10.0.0.0/8 & has to publish 192.168.1.0/24. How it can be possible, I am pasting current configuaration of US ASA, Please help which modification I have to made.

crypto map outside_map 1 match address outside_access_in
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 102.102.102.2
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set nat-t-disable


nat (inside) 0 access-list inside_nat0_outbound


access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

access-list outside_access_in extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound


route outside 0.0.0.0 0.0.0.0 200.200.200.1

9 Replies 9

Mohamed Sobair
Level 7
Level 7

Hi Rupesh,

The Access-list ( access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0) is used to permit the Interresting traffic through IPsec tunnel.

If you want to hide 10.0.0.0/8 prefix, then you should remove this entry from the access-list and allow the subnets you want to reach the 172.16.0.0.255.255.0.0).

HTH

Mohamed

Hi Sobair,

I am not getting you. Can you guide my by making changes which I have pasted. Please.

Mohamed Sobair
Level 7
Level 7

Hi,

could you please point out to the interresting traffic. which subnets you want to allow through the IPsec tunnel to pass?

I stated to add the following into your configuration:

access-list inside_nat0_outbound extended  deny ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0  172.16.0.0 255.255.0.0

In the above example, traffic from  10.0 subnet is denied and  only  allowed 192.168 subnet to pass through the IPsec tunnel.

HTH

Mohamed

Ok, Now I have two questions as earlier I had disabled NAT--

1. How internal subnet 10.0.0.0/8 will converted into 192.168.1.0/24 subnet before leaving US ASA ?

2. If India clients wants to access one server IP-10.10.10.5/24, then which IP they will browse ?

Mohamed Sobair
Level 7
Level 7

HI,

Ok, Now I have two questions as earlier I had disabled NAT--

1. How internal subnet 10.0.0.0/8 will converted into 192.168.1.0/24 subnet before leaving US ASA ?

2. If India clients wants to access one server IP-10.10.10.5/24, then which IP they will browse ?

--------------------------------------------------------------------------------------------------------------------------------------------------

1- Its not converted , I just gave you an example of 192.168 subnet.

2- They will browse the 10.10.10.5 IP, but US ASA wont allow the traffic back as its denied on the access-list.

So the Conclusion as follows:

You either deny it on the access-list of the interresting traffci. Or you remove it from the Access-list completely

as follows:

no  access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

                                                         OR

access-list inside_nat0_outbound extended deny ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

HTH

Mohamed

You are not getting my point.

I have to hide 10.0.0.0/8 subnet. I target is India end should only know 192.168.1.0/24 subnet.

So how 10.0.0.0/8 will converted into 192.168.1.0/24 on US end before entering in tunnel ( Att- we have 200.200.200.2 Outside IP)?

Please clarify.

Mohamed Sobair
Level 7
Level 7

Hi Rupesh,

No covertion will occur at all.

The rule of NAT Exemption is to permit the interresting traffic through the tunnel, Nat excemption has always precedence over normal nat.

So traffic from the 10.0 subnet wont be converted at all, but it can be denied (NOT Permited through the IPsec tunnel).

If you want to permit only 192.168.1.0/24 subnet to access 172.16 and deny 10.0 subnet, your config should look like bellow:

no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0  172.16.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0  172.16.0.0 255.255.0.0

HTH

Mohamed

As per your line"  If you want to permit only 192.168.1.0/24 subnet to access 172.16 and deny 10.0 subnet"

The problem is, we do not have 192.168.1.0/24 subnet. I just want to use to hide 10.0.0.0 subnet. So please suggest.

Beside this, Remote end India ASA will permit 192.268.1.0 or 10.0.0.0 ?

Please help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: