Bi-Directional Policy NAT

Answered Question
Mar 31st, 2010

Is a policy-based bi-directional NATs possible? I can find plenty of examples to handle a single bi-directional NAT but the Cisco documentation I've read states that policy-based translates local addresses  only. However, I've read conflicting documentation from Cisco where it says any NAT (besides NAT exemption) can be configured for policy NAT. I've spent numerous hours researching a configuration that could handle this but have come up empty. I would imagine I'm not the first person to run into this, Cisco's documentation is just unclear to me.

Site A will terminate L2L VPNs from Site B and Site C to an ASA 5520. Site A has no administrative control over B or C. Site B and C are choosing to expose their same overlapping private address space.

I'm no expert but forced into this by the unexpected exit of our Network Engineer. Can anyone provide assistance?

I know that I need to:

1. specify the address to be translated

2. specificy the inside global to translate to

I believe I accomplish this with:

  • static (outside, inside) 172.17.1.1 10.128.0.0 netmask 255.128.0.0
  • access-list 101 permit ip 10.128.0.0 255.128.0.0
  • access-group 101 inside interface outside

I believe I'll need to create route statements for this as well:

  • route outside 10.128.0.0 255.128.0.0 12.126.x.x

This satifies one VPN, but what about the Site C? Can I use policy NAT to map that customers 10.128.0.0/9 to say 172.17.2.2? I know the address space I'm mapping to doesn't handle the /9 being exposed to me, but I'll never exceed the range I'm mapping it to. Once I know exactly how many IP's will be coming over the VPN, I will actually create a 1:1 translation as governed by our security policy.

I hope I'm on the right track here and have explained this in manner that isn't too confusing. Any help? I'm not even sure if a policy-based bi-directional NAT is possible based on the Cisco documentation I've read. Help!

                                                  ------------- (12.126.x.x) Site B (10.128.0.0/9)

Site A ------------ WWW Cloud

(ASA 5520)                                     --------------(209.128.y.y) Site C (10.128.0.0/9)

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 9 months ago

I agree with you 100% unfortunately documentation sucks!

If you give the ASA a different public IP on another interface and terminate the other tunnel there, you can still
use the configuration of Policy NAT on Site A and it should work.

Give it a try and let us know if you need further help.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Wed, 03/31/2010 - 15:15

Hi,

What you do is Policy NAT on the remote sites:

Site B:
access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site A
static (in,out) 1.0.0.0 access-list PolicyNAT
access-list VPN permit ip 1.0.0.0 255.128.0.0 Site A

Site C:
access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site A
static (in,out) 2.0.0.0 access-list PolicyNAT
access-list VPN permit ip 2.0.0.0 255.128.0.0 Site A

In Site B, we are translating network 10.128.0.0/9 to 1.0.0.0/9 when going to Site A
In Site C, we are translating network 10.128.0.0/9 to 2.0.0.0/9 when going to Site B
In both sites, the VPN traffic is from the translated network to Site A

In Site A, you must send the VPN traffic to 1.0.0.0/9 and 2.0.0.0/9 when trying to reach Site B and Site C
respectively.

Hope this helps, let me know.

Federico.

pobrien210 Thu, 04/01/2010 - 06:18

I appreciate the response, but if it was the easy, I wouldn't be in the support forum . I have no administrative control over Site B or C. Policy NAT could only be accomplished at Site A where I have administrative control.

pobrien210 Thu, 04/01/2010 - 06:31

I guess it I should also note that Site B and C have no interest in passing traffic between each other. They only care with talking to the hub.

Federico Coto F... Thu, 04/01/2010 - 09:01

If you only have control over Site A, then as you said you can do Policy NAT on Site A.

It will be inbound Policy NAT, so that you translate Site B and Site C to a different IP when entering Site A network.

Instead of NATing the traffic on Site B and Site C, you NAT the traffic when entering inbound on Site A.

Federico.

Federico Coto F... Thu, 04/01/2010 - 10:18

access-list SiteB permit ip 10.128.0.0 255.128.0.0 Site A
nat (outside) 1 access-list SiteB outside
global (inside) 1 1.0.0.0 255.128.0.0

access-list SiteC permit ip 10.128.0.0 255.128.0.0 Site A
nat (outside) 2 access-list SiteC outside
global (inside) 2 2.0.0.0 255.128.0.0

Is this the problem that you're having?
You cannot define inbound Policy NAT for both sites on Site A, since both come from the same source network to the same destination
network.

The above configuration will translate Site B 10.128.0.0/9 to 1.0.0.0/9 when entering Site A, but it will overlap with the rule
for Site C.

For testing purpose to see if it works, you can define a portion of Site A for the VPN to Site B and another portion of Site A
for the tunnel to site C (so there won't be overlapping and you can test if the Policy NAT works as intended).

Federico.

pobrien210 Thu, 04/01/2010 - 14:42

I can test as you suggest, I just wasn't sure where to start with the conflicting documentation I've read.

What if I give my ASA another public IP and have SiteB terminate to one IP and SiteC terminate the a different  IP? Would the configuration you provide still be valid and allow me to translate the same source addresses based on the different destination address?

I'm so confused by Cisco's documentation. I've read multiple documents numerous times and simply doesn't clarfiy it in a way that is understandable to me. I passed my CCNA about 5 years ago and have been thrown into this current situation with the exit of our engieer. I'm more of a Layer 2 guy and I've had minimal exposure to VPN. I can throw together a site-to-site if I had to, I'm just not sure how to deal with multiple customer VPNs with overlapping adddress.

Thank you for your help Federico.

Correct Answer
Federico Coto F... Thu, 04/01/2010 - 14:57

I agree with you 100% unfortunately documentation sucks!

If you give the ASA a different public IP on another interface and terminate the other tunnel there, you can still
use the configuration of Policy NAT on Site A and it should work.

Give it a try and let us know if you need further help.

Federico.

pobrien210 Mon, 04/05/2010 - 06:41

Appreciate the help Federico. I should have the config live within a week and will update this post with the results.

Actions

This Discussion

Related Content