Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
0
Helpful
2
Replies

Having Problem in Policy NAT

Anand Narayana
Level 6
Level 6

‎06-27-2010 06:15 PM

Hi All,

  Please find my requirements below & the test results.

Existing Setup

  • Created site-to-site vpn (Client ASA ~ Data Ceter ASA).
  • Tunnel established. Only Client WRKS-A (192.168.1.1) & Data Center Server-A (10.1.1.1) are in the allowed hosts on VPN ACL
  • Able to transfer files from Client 192.168.1.1 to 10.1.1.1 with no issues.

Requirement

  • Assume a situation where i am taking my Server-A (10.1.1.1) for maintenance for 6hours, until the maintenance is complete, i will have the Server-B (10.1.1.2) in place, so that i need not inform the client to add 10.1.1.2 in his ASA.
  • Since 10.1.1.2 is not in the allowed VPN, i have a POLICY-NATconfiguration in place on the Data Center ASA. So that the files transfer from 192.168.1.1 will not interrupt.

static (inside,outside) 10.1.1.1  access-list CLIENT_VPN_Policy_NAT

access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1

access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1

    Test Results

    • Sucessful & able to be receive files from 192.168.1.1 to 10.1.1.2 after the policy NAT configuration & hence i decided that i will use this policy NAT configuration for ever so that the client will keep transferring the files only to 10.1.1.2 for ever though 10.1.1.2 is not in his allowed ACL.

    Problem

    • I have an other client 172.16.1.1 on a different vpn tunnel, where i have to permit ONLY 10.1.1.1 to transfer the files from 172.16.1.1. Issue here is, tunnel establishes, but the client is transferring the files to 10.1.1.2 because of a POLICY-NAT for the ip 10.1.1.1 is configured for the previous client.

    Question

    • Why does this POLICY-NAT reflects to the other tunnels when they also use the same IP 10.1.1.1?

    I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1

    Labels:
    0 Helpful
    2 Replies 2

    Farrukh Haroon
    VIP Alumni
    VIP Alumni

    ‎07-08-2010 06:42 AM

    This is the default behavior of Policy NAT. For incoming traffic, it won't consider the source IP mentioned in the Policy NAT ACL.

    As a workaround you need to apply filtering via access-lists. By default there is no ACL check for VPN traffic, you have to enable it via sysopt commands.

    Alternateively you can put an outbound ACL on the inside interface, allowing access to 10.1.1.2 from the 192.168.1.1 client only. Don't forget to permit eveything else in the end of the ACL

    Regards

    Farrukh

    0 Helpful

    Anand Narayana
    Level 6
    Level 6
    In response to Farrukh Haroon

    ‎07-08-2010 06:55 AM

    Thanks Farrukh. Let me try this & shall get back to you some time during next week.

    0 Helpful
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents