Reverse NAT on the ASA?

Unanswered Question

Hello all,

I have a VPN with a vendor, but he's using the same inside networks that I am, and he apparently can't NAT on his side so I'm trying to setup dynamic NAT for his incoming and outgoing traffic on the tunnel.

This is the config I've come up with; can you let me know if this will work (see below picture)?

object-group network vendor-inside
network-object host 10.80.208.243
network-object host 10.80.88.47

access-list outside_470_cryptomap line 1 remark Vendor VPN Tunnel traffic
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

Vendor reverse NAT.jpg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 05/27/2010 - 04:33

Hi,

The configuration seems fine.

I think that when you do outside NAT:

nat (external) 3 access-list outside_470_cryptomap

You do:

nat (external) 3 access-list outside_470_cryptomap outside

Let us know if you have any problems.


Federico.

DimonRonD Thu, 06/03/2010 - 02:17

Hello!

I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?

Federico Coto F... Thu, 06/03/2010 - 06:55

You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?


So you're saying:
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?

Federico.

DimonRonD Thu, 06/03/2010 - 22:57

coto.fusionet wrote:

You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?


So you're saying:
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?

Federico.


Well, I try "sh xlate" and have no translations on this nat rule. I watch "sh nat" and no hits on this rule (translate_hits = 0, untranslate_hits = 0).

Same rule on this ASA for external real IP's coming to another host works properly. This rule from L2L-IPSEC to inside not works. I use WireShark and see packets from real IP, NAT not work.

Why this NAT normally work from outside to inside and not work from IPSEC to inside?

Federico Coto F... Fri, 06/04/2010 - 09:05

NAT works for non-encrypted traffic from outside to inside?
NAT does not work for encrypted traffic from outside to inside?

NAT should work for either unencrypted or encrypted traffic.
Could you post just your current NAT rule for both scenarios?

Federico.

DimonRonD Sun, 06/06/2010 - 23:04


NAT works for non-encrypted traffic from outside to inside?

Yes


NAT does not work for encrypted traffic from outside to inside?

Yes

NAT should work for either unencrypted or encrypted traffic.

Should be, yes. But, not work.

This is nat rule for enctipted traffic. Integrator comes through IPSEC from outside and goes to inside. Nat not worked:

access-list Integrator2Local extended permit ip host 192.168.1.23 10.10.1.0 255.255.255.0
global (inside) 3 10.10.0.3-10.10.0.14 netmask 255.255.255.240
nat (outside) 3 access-list Integrator2Local outside

I need translate host 192.168.1.23, when this host send packet in network 10.10.1.0/24 translate in address 10.10.0.3

Same rule (except trafic goes in DMZ) but I think, this is not matter. This rule work good:
access-list REALHOSTS extended permit ip any host 19.17.9.26
global (DMZ) 2 10.20.20.128-10.20.20.254 netmask 255.255.255.128
nat (outside) 2 access-list REALHOSTS outside

In this rule I need translate any real address, comes on  host 19.17.9.26 to network 10.20.20.128/25

DimonRonD wrote:

Hello!

I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?

Hi DimonRonD,

Not sure about your setup, but mine was backwards:

I had:

access-list LUXATLASA01e_470_cryptomap extended permit ip 10.0.2.176 255.255.255.240 object-group Vendor-inside

It should be:
access-list LUXATLASA01e_cryptomap_470 extended permit ip 10.80.0.0 255.255.0.0 10.0.2.176 255.255.255.240

Also had to add:
access-list LUXATLASA01i_nat0_outbound extended permit ip object-group Vendor-inside 10.0.2.176 255.255.255.240

I highly recommend opening a ticket with TAC for configuration assistance so they can help you understand the config.  If they can teach me, they can teach anyone!'

Actions

This Discussion