×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 8.3 - site to site VPN with NAT

Unanswered Question
Feb 21st, 2012
User Badges:

Hi All.


I am trying to create a site to site vpn. except it's not the usual setup. the 3rd party have requested we NAT all our inside source addresses to a single address before sedning it over the tunnel, this i beleive is due to them wanting to avoid network overlaps on their end as they have loads of VPNs.


so the flow we have is as follows:


multiple internal subnets ---> NAT to single address ---> VPN ----->Servers with outside addresses


with example IP's::


10.0.1.0/24

10.0.2.0/24  ----> NAT 1.1.1.1 -----> Over VPN------> 2.2.2.1 and/or 2.2.2.2

10.0.3.0/24


so the config i have is as follows:


object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0


object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1


object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2


nat (inside,outside) source static vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations


access-list VPNACL extended permit ip object-group vpnsourcesubnets-nat object-group vpndestinations


So regarding the above i have a few question:


1. a) should i be making the nat statement dynamic rather than static? should this be configured as dynamic nat or dynamic pat? i come to the conlcusion it should be dynamic pat as its one address and multiple hosts but i haven't seen any configuration guides with layouts like that so im uncertain. .... if i do need to change it, how would this refelct in the config?


2. should the ACL be basing its permissions on the pre-nat addresses or post nat? i've seen a few config example but none of them seem to be consistent, one will say post nat others will say pre-nat.


3. we have multple manual nat statements within section 1 on the ASA that look like this:


nat (inside,outside) source static any any destination static nonat-rfc1918 nonat-rfc1918

nat (inside,outside) source dynamic any interface


should i be placing my nat statement above this? could this cause any trouble?


Would love to hear your feedback on this.


thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rizwanr74 Tue, 02/21/2012 - 06:00
User Badges:
  • Gold, 750 points or more

"a) should i be making the nat statement dynamic rather than static?" it should be dynamic PAT.



Please post your config requirement, I will compile it for you.


Thanks

Rizwan Rafeek

kalebaks86 Tue, 02/21/2012 - 08:41
User Badges:

Thanks for your respnse rizwaan.


To clarify, i'm building this vpn on a production ASA, it' up and running already with other vpns configured. I'm just having trouble with this setup. Trying to figure out what i'm doing wrong.


do you have any feedback on my other questions?

rizwanr74 Tue, 02/21/2012 - 09:17
User Badges:
  • Gold, 750 points or more

"should the ACL be basing its permissions on the pre-nat addresses or post nat?" It is pre-nat.


Hope that answer your question.


thanks

kalebaks86 Tue, 02/21/2012 - 09:21
User Badges:

So the following would be they way to configure it?


object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0


object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1


object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2


nat (inside,outside) source dynamic vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations


access-list VPNACL extended permit ip object-group vpnsourcesubnets object-group vpndestinations

rizwanr74 Tue, 02/21/2012 - 09:33
User Badges:
  • Gold, 750 points or more

"So the following would be they way to configure it?" Yes.

Mohsin Ali Fri, 12/13/2013 - 19:16
User Badges:

I believe it is going to be one way of tunnel. I have a similar configuration on FW but Client is trying to access our side Network as they are and not the PAT ip address. If the traffic is to be initiated from the other End of the tunnel then, what needs to be done.

Actions

This Discussion