02-21-2012 05:50 AM
Hi All.
I am trying to create a site to site vpn. except it's not the usual setup. the 3rd party have requested we NAT all our inside source addresses to a single address before sedning it over the tunnel, this i beleive is due to them wanting to avoid network overlaps on their end as they have loads of VPNs.
so the flow we have is as follows:
multiple internal subnets ---> NAT to single address ---> VPN ----->Servers with outside addresses
with example IP's::
10.0.1.0/24
10.0.2.0/24 ----> NAT 1.1.1.1 -----> Over VPN------> 2.2.2.1 and/or 2.2.2.2
10.0.3.0/24
so the config i have is as follows:
object-group network vpnsourcesubnets
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network vpnsourcesubnets-nat
network-object host 1.1.1.1
object-group network vpndestinations
network-object host 2.2.2.1
network-object host 2.2.2.2
nat (inside,outside) source static vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations
access-list VPNACL extended permit ip object-group vpnsourcesubnets-nat object-group vpndestinations
So regarding the above i have a few question:
1. a) should i be making the nat statement dynamic rather than static? should this be configured as dynamic nat or dynamic pat? i come to the conlcusion it should be dynamic pat as its one address and multiple hosts but i haven't seen any configuration guides with layouts like that so im uncertain. .... if i do need to change it, how would this refelct in the config?
2. should the ACL be basing its permissions on the pre-nat addresses or post nat? i've seen a few config example but none of them seem to be consistent, one will say post nat others will say pre-nat.
3. we have multple manual nat statements within section 1 on the ASA that look like this:
nat (inside,outside) source static any any destination static nonat-rfc1918 nonat-rfc1918
nat (inside,outside) source dynamic any interface
should i be placing my nat statement above this? could this cause any trouble?
Would love to hear your feedback on this.
thanks in advance.
02-21-2012 06:00 AM
"a) should i be making the nat statement dynamic rather than static?" it should be dynamic PAT.
Please post your config requirement, I will compile it for you.
Thanks
Rizwan Rafeek
02-21-2012 08:41 AM
Thanks for your respnse rizwaan.
To clarify, i'm building this vpn on a production ASA, it' up and running already with other vpns configured. I'm just having trouble with this setup. Trying to figure out what i'm doing wrong.
do you have any feedback on my other questions?
02-21-2012 09:17 AM
"should the ACL be basing its permissions on the pre-nat addresses or post nat?" It is pre-nat.
Hope that answer your question.
thanks
02-21-2012 09:21 AM
So the following would be they way to configure it?
object-group network vpnsourcesubnets
network-object 10.0.1.0 255.255.255.0
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network vpnsourcesubnets-nat
network-object host 1.1.1.1
object-group network vpndestinations
network-object host 2.2.2.1
network-object host 2.2.2.2
nat (inside,outside) source dynamic vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations
access-list VPNACL extended permit ip object-group vpnsourcesubnets object-group vpndestinations
02-21-2012 09:33 AM
"So the following would be they way to configure it?" Yes.
12-13-2013 07:16 PM
I believe it is going to be one way of tunnel. I have a similar configuration on FW but Client is trying to access our side Network as they are and not the PAT ip address. If the traffic is to be initiated from the other End of the tunnel then, what needs to be done.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide