ASA Site-to-Site VPN Configuration - NAT questions

Answered Question
Oct 21st, 2010
User Badges:
  • Silver, 250 points or more

Greetings,


I am tasked with configuring a site-to-site VPN connection to a business partner in which I would first like to NAT my internal IPs to a public IP then send it across the tunnel, and vice versa when they try to access my servers I would like them to get to them via the external IP.  Here is what I think I need to do, but I wondered what the community's thoughts were.


All IP addresses represented below are fictional.


Internal Servers          Public IP

10.50.220.150           208.180.170.182    

10.50.220.151           208.180.170.183

10.50.220.152           208.180.170.184


Local Peer IP:      208.180.254.29

Remote Peer IP:  207.190.218.31


Local Network:     208.180.170.0/24

Remote Network:  207.190.239.0/24


From my understanding, NAT will occur before being sent out through a tunnel, or to the internet, etc, so the configuration I am thinking I need is the following:


nat (inside) 0 access-list nonat

nat (inside) 2 10.50.220.150

nat (inside) 3 10.50.220.151

nat (inside) 4 10.50.220.152


global (outside) 2 208.180.170.182

global (outside) 3 208.180.170.183

global (outside) 4 208.180.170.184


access-list nonat extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0   (Do I even need this since its getting NATed to a public IP anyway?)


access-list s2s-Customer extended permit ip 208.180.170.0 255.255.255.0 207.190.239.0 255.255.255.0

route outside 207.190.239.0 255.255.255.0 207.190.218.31


crypto map outside 1 set peer 207.190.218.31

crypto map outside 1 match address s2s-Customer

[..rest of configuration ommitted..]



Does that look/sound right? If not, please advise.


Thanks.

Correct Answer by Federico Coto F... about 6 years 10 months ago

Yes.

PAT (nat/global) will take care of outbound traffic and static will take care of inbound traffic.


You can create Policy NAT as well to manage this traffic.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Thu, 10/21/2010 - 15:01
User Badges:
  • Green, 3000 points or more

Hi,


You're correct.

Normally you don't NAT the VPN traffic since the communication goes privately through the internet but you can definitely NAT the VPN traffic if needed.


You don't need the nat0 statement because that's to bypass NAT (therefore there's no need for the ACL referenced to the nat0).


The crypto ACL defines the traffic from the NATed IP to the NATed IP of the other side.


Hope it helps.


Federico.

jjohnston1127 Fri, 10/22/2010 - 06:54
User Badges:
  • Silver, 250 points or more

Federico,


Thanks for the response.  One more question.


The NAT/PAT statements there take care of outbound NAT, but I assume I will also need static (inside,outside) NAT statements to take care of the inbound NAT, should users across the VPN tunnel want to initiate the traffic to our server.  Is this correct?


Does the NAT order of operations take place inbound before attempting to pass traffic?

Correct Answer
Federico Coto F... Fri, 10/22/2010 - 07:10
User Badges:
  • Green, 3000 points or more

Yes.

PAT (nat/global) will take care of outbound traffic and static will take care of inbound traffic.


You can create Policy NAT as well to manage this traffic.


Federico.

Actions

This Discussion