09-15-2014 04:58 AM - edited 03-11-2019 09:45 PM
I want to PAT traffic from the remote sites after it arrives at the ASA from the site 2 site VPN and as it goes out the "inside" interface. See attached diagram.
I want traffic from 192.168.90.0/24 to be PAT to 192.168.36.90 as it goes out the "inside" interface that goes to 10.10.0.0/24 network
and
I want traffic from 192.168.99.0/24 to be PAT to 192.168.36.99 as it goes out the "inside" interface that goes to 10.10.0.0/24 network
Here is what I think I need to configure, please let me know if this is correct. ASA is running 9.x code.
object network HOST-192.168.36.90
host 192.168.36.90
object network HOST-192.168.36.99
host 192.168.36.99
object network NET-192.168.90.0-28
subnet 192.168.90.0 255.255.255.0
object network NET-192.168.99.0-28
subnet 192.168.99.0 255.255.255.0
nat (outside,inside) source dynamic NET-192.168.90.0-28 NET-192.168.90.0-28 destination static HOST-192.168.36.90 HOST-192.168.36.90
nat (outside,inside) source dynamic NET-192.168.99.0-28 NET-192.168.99.0-28 destination static HOST-192.168.36.99 HOST-192.168.36.99
Thanks,
Mike
09-15-2014 06:01 AM
The format of twice NAT is the following:
nat (inside,outside) source static insideReal insideMapped destination static DestMapped DestReal
So to do what you want you would need something like the this:
object network LAN
subnet 10.10.0.0 255.255.255.0
object network HOST-192.168.36.90
host 192.168.36.90
object network NET-192.168.90.0-28
subnet 192.168.90.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static HOST-192.168.36.90 NET-192.168.90.0-28
Keep in mind that twice nat is bidirectional. This NAT statement will maintain the 10.10.0.0/24 subnet (keep the same address after NAT) and translate the 192.168.90.0/28 subnet to the host IP of 192.168.36.90. When traffic from 192.168.90.0/28 comes into the ASA it is translated to the 192.168.36.90 IP. The same goes for when 10.10.0.0/24 sends traffic to 192.168.36.90, it is translated back to 192.168.90.0/28.
--
Please remember to select a correct answer and rate helpful posts
09-15-2014 06:22 AM
Thanks Marius and Sandy but which one do I need to do?
I want traffic coming from network 192.168.90.0/24 to use 192.168.36.90 to get to 10.10.0.0/24
and traffic coming from 192.168.99.0/24 to use 192.168.36.99 to get to 10.10.0.0/24
Mike
09-15-2014 06:29 AM
09-15-2014 08:04 AM
Hi Mike ,
Doing Simple PAT at Remote Site will solve your requirement . Share me you your remote router config i can help you .
HTH
Sandy
09-15-2014 12:36 PM
Thanks for your help.......
Cisco881#show run
Building configuration...
Current configuration : 5969 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco881
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxx
!
no aaa new-model
memory-size iomem 10
clock timezone xxxxxx
clock summer-time xxxxxx
!
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxx
certificate self-signed 01
Config omitted
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.99.1 192.168.99.99
!
ip dhcp pool ccp-pool1
import all
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 10.10.0.50 10.10.0.49
!
!
ip cef
ip domain name test.com
ip name-server 10.10.0.50
ip name-server 10.10.0.49
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn xxxxxxx
!
!
username admin privilege 15 secret 5 xxxxxxxx
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 2xx.xxx.xxx.186
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to2xx.xxx.xxx.186
set peer 2xx.xxx.xxx.186
set transform-set ESP-3DES-SHA
match address 103
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 72.xxx.xxx.169 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 72.xxx.xxx.174 permanent
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.99.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
omittied
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
09-15-2014 11:33 PM
You need to add the following:
access-list 104 permit ip 192.168.99.0 0.0.0.255 10.0.0.0 0.0.0.255
route-map VPN-TRAFFIC
match address 104
ip nat pool VPN 192.168.36.99 192.168.36.99 netmask 255.255.255.0
ip nat inside source route-map VPN-TRAFFIC pool VPN overload
This will translate traffic from 192.168.99.0/24 destined for 10.0.0.0/24 to the IP of 192.168.36.99.
You can use this same example for the other subnets also...just change the IPs as required.
--
Please remember to select a correct answer and rate helpful posts
09-15-2014 11:34 PM
Also , remember to exempt traffic from being NATed when configuring for 192.168.90.0/24 subnet. you have already done this for the 192.168.99.0/24 network.
--
Please remember to select a correct answer and rate helpful posts
09-16-2014 04:32 AM
Thanks for the help.
Now the question, why does this need to be done on the router (remote side) and not on the ASA?
Mike
09-16-2014 04:42 AM
It doesn't need to be done at the remote side, the effect will be the same whether you do it at the remote side or local. It is just a matter of when/where the translation takes place. Some say that it is a "cleaner" configuration if you do the NAT before it enters the tunnel. This really depends on who you are talking to of course.
If you did not have control of the remote site then your only option is to configure NAT at your local ASA. But since you do have control of the remote side, you have the option to do NAT there.
If you do NAT at the remote site, then you would need to add the translated addresses into the crypto ACL of both devices. If you do NAT locally then you would have the actual IPs in the crypto ACL instead.
--
Please remember to select a correct answer and rate helpful posts
09-16-2014 04:49 AM
I would like to do all of this on the ASA and not at the individual sites so if something changes I just have to work on the ASA and not 28+ sites.
I will post what I think I need to configure for review as I am a little confused between the router config and the ASA config......
Stay tuned and thanks for your help.
I will rate the posts after I got this...
Mike
09-16-2014 05:37 AM
I am now confusing myself and it could be I am not asking the question correctly or explaining what I need or I have setup.
So lets start over a little.
On the diagram I attached we have no control over the Router MPLS (10.10.0.2)
and on the core switch there is a default route that points to the MPLS router IP address 10.10.0.2 and the MPLS router does not know about 192.168.99.0/24 or the 192.168.90.0/24 networks and does not know where to send it so it gets dropped. We cannot add the subnets to the MPLS router.
now I need traffic coming from 10.10.0.0/24 going to 192.168.99.0/24 or 192.168.90.0/24 to get to the ASA where the tunnel terminates and then make it across the tunnel.
Next I need the traffic coming from 192.168.99.0/24 or 192.168.90.0/24 to be able to get to the 10.10.0.0/24 network and back.
What would be the easiest way to accomplish this and manage it going forward? I have 28+ remote sites that I need to do this for.
Mike
09-16-2014 11:14 AM
It could help to know why you need to do this. Do you have overlapping IPs?
If you don't have overlapping IPs, what is the reason you are NATing to a single IP instead of allowing the encrypted domains to cross the VPN?
To answer your question "What would be the easiest way to accomplish this and manage it going forward?"
The easiest way would be to just set up crypto ACLs for each site and the local IP and also set up a nat exempt to stop them from being NATed. And don't bother with NATing the VPN traffic if you can.
But if you have to set this up in this way, then my example in my original post should do the trick. Here it is again.
object network LAN
subnet 10.10.0.0 255.255.255.0
object network HOST-192.168.36.90
host 192.168.36.90
object network NET-192.168.90.0-28
subnet 192.168.90.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static HOST-192.168.36.90 NET-192.168.90.0-28
--
Please remember to select a correct answer and rate helpful posts
09-22-2014 08:14 AM
Thank you everyone for all your help. I have dragged onto something else and did not get a chance to try all this but when I do I will mark solved accordingly.
stay tuned.
Rated for all your help.
Mike
09-15-2014 06:02 AM
Hi Mike ,
Do PAT at remote location on your router , Build Crypto MAP ACL with PAT IP address on your ASA firewall .
Your above configuration cant perform PAT for your VPN network .
HTH
Sandy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: