Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1683
Views
0
Helpful
6
Replies

ASA 8.3 - site to site VPN with NAT

KiloBravo
Level 1
Level 1

‎02-21-2012 05:50 AM

Hi All.

I am trying to create a site to site vpn. except it's not the usual setup. the 3rd party have requested we NAT all our inside source addresses to a single address before sedning it over the tunnel, this i beleive is due to them wanting to avoid network overlaps on their end as they have loads of VPNs.

so the flow we have is as follows:

multiple internal subnets ---> NAT to single address ---> VPN ----->Servers with outside addresses

with example IP's::

10.0.1.0/24

10.0.2.0/24  ----> NAT 1.1.1.1 -----> Over VPN------> 2.2.2.1 and/or 2.2.2.2

10.0.3.0/24

so the config i have is as follows:

object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1

object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2

nat (inside,outside) source static vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations

access-list VPNACL extended permit ip object-group vpnsourcesubnets-nat object-group vpndestinations

So regarding the above i have a few question:

1. a) should i be making the nat statement dynamic rather than static? should this be configured as dynamic nat or dynamic pat? i come to the conlcusion it should be dynamic pat as its one address and multiple hosts but i haven't seen any configuration guides with layouts like that so im uncertain. .... if i do need to change it, how would this refelct in the config?

2. should the ACL be basing its permissions on the pre-nat addresses or post nat? i've seen a few config example but none of them seem to be consistent, one will say post nat others will say pre-nat.

3. we have multple manual nat statements within section 1 on the ASA that look like this:

nat (inside,outside) source static any any destination static nonat-rfc1918 nonat-rfc1918

nat (inside,outside) source dynamic any interface

should i be placing my nat statement above this? could this cause any trouble?

Would love to hear your feedback on this.

thanks in advance.

Labels:
0 Helpful
6 Replies 6

rizwanr74
Level 7
Level 7

‎02-21-2012 06:00 AM

"a) should i be making the nat statement dynamic rather than static?" it should be dynamic PAT.

Please post your config requirement, I will compile it for you.

Thanks

Rizwan Rafeek

0 Helpful

KiloBravo
Level 1
Level 1
In response to rizwanr74

‎02-21-2012 08:41 AM

Thanks for your respnse rizwaan.

To clarify, i'm building this vpn on a production ASA, it' up and running already with other vpns configured. I'm just having trouble with this setup. Trying to figure out what i'm doing wrong.

do you have any feedback on my other questions?

0 Helpful

rizwanr74
Level 7
Level 7
In response to KiloBravo

‎02-21-2012 09:17 AM

"should the ACL be basing its permissions on the pre-nat addresses or post nat?" It is pre-nat.

Hope that answer your question.

thanks

0 Helpful

KiloBravo
Level 1
Level 1
In response to rizwanr74

‎02-21-2012 09:21 AM

So the following would be they way to configure it?

object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1

object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2

nat (inside,outside) source dynamic vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations

access-list VPNACL extended permit ip object-group vpnsourcesubnets object-group vpndestinations

0 Helpful

rizwanr74
Level 7
Level 7
In response to KiloBravo

‎02-21-2012 09:33 AM

"So the following would be they way to configure it?" Yes.

0 Helpful

mohsinali9
Level 1
Level 1
In response to rizwanr74

‎12-13-2013 07:16 PM

I believe it is going to be one way of tunnel. I have a similar configuration on FW but Client is trying to access our side Network as they are and not the PAT ip address. If the traffic is to be initiated from the other End of the tunnel then, what needs to be done.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents