Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

NAT/PAT for Site to Site VPN

I want to PAT traffic from the remote sites after it arrives at the ASA from the site 2 site VPN and as it goes out the "inside" interface. See attached diagram.

I want traffic from 192.168.90.0/24 to be PAT to 192.168.36.90 as it goes out the "inside" interface that goes to 10.10.0.0/24 network

and

I want traffic from 192.168.99.0/24 to be PAT to 192.168.36.99 as it goes out the "inside" interface that goes to 10.10.0.0/24 network

 

Here is what I think I need to configure, please let me know if this is correct. ASA is running 9.x code.

 

object network HOST-192.168.36.90
 host 192.168.36.90

object network HOST-192.168.36.99
 host 192.168.36.99

object network NET-192.168.90.0-28
 subnet 192.168.90.0 255.255.255.0

object network NET-192.168.99.0-28
 subnet 192.168.99.0 255.255.255.0


nat (outside,inside) source dynamic NET-192.168.90.0-28 NET-192.168.90.0-28 destination static HOST-192.168.36.90 HOST-192.168.36.90

nat (outside,inside) source dynamic NET-192.168.99.0-28 NET-192.168.99.0-28 destination static HOST-192.168.36.99 HOST-192.168.36.99

 

Thanks,

Mike

14 REPLIES
VIP Green

The format of twice NAT is

The format of twice NAT is the following:

nat (inside,outside) source static insideReal insideMapped destination static DestMapped DestReal

So to do what you want you would need something like the this:

object network LAN
  subnet 10.10.0.0 255.255.255.0

object network HOST-192.168.36.90
  host 192.168.36.90

object network NET-192.168.90.0-28
 subnet 192.168.90.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static HOST-192.168.36.90 NET-192.168.90.0-28

Keep in mind that twice nat is bidirectional.  This NAT statement will maintain the 10.10.0.0/24 subnet (keep the same address after NAT) and translate the 192.168.90.0/28 subnet to the host IP of 192.168.36.90.  When traffic from 192.168.90.0/28 comes into the ASA it is translated to the 192.168.36.90 IP. The same goes for when 10.10.0.0/24 sends traffic to 192.168.36.90, it is translated back to 192.168.90.0/28.

--

Please remember to select a correct answer and rate helpful posts

 

--

Please remember to rate and select a correct answer

Thanks Marius and Sandy but

Thanks Marius and Sandy but which one do I need to do?

 

I want traffic coming from network 192.168.90.0/24 to use 192.168.36.90 to get to 10.10.0.0/24

and traffic coming from 192.168.99.0/24 to use 192.168.36.99 to get to 10.10.0.0/24

 

Mike

VIP Green

You need to use the twice nat

You need to use the twice nat example i provided. Remember that twice nat is bidirectional so if you need to initiate traffic from the 10.10.0.0/24 network then you need to go to the natted address of 36.99. You will also need to have the NATed address of 36.99 in your crypto ACL as sandy has mentioned
--

Please remember to rate and select a correct answer

Hi Mike ,       Doing Simple

Hi Mike , 

      Doing Simple PAT at Remote Site will solve your requirement . Share me you your remote router config i can help you .

 

HTH

Sandy

Thanks for your help.......

Thanks for your help.......

 


Cisco881#show run
Building configuration...

Current configuration : 5969 bytes
!
! No configuration change since last restart
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco881
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxx
!
no aaa new-model
memory-size iomem 10
clock timezone xxxxxx
clock summer-time xxxxxx
!
crypto pki trustpoint TP-self-signed-xxxxxx
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-xxxxxx
 revocation-check none
 rsakeypair TP-self-signed-xxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxx
 certificate self-signed 01

Config omitted

      quit
ip source-route
!
!
ip dhcp excluded-address 192.168.99.1 192.168.99.99
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.99.0 255.255.255.0
   default-router 192.168.99.1
   dns-server 10.10.0.50 10.10.0.49
!
!
ip cef
ip domain name test.com
ip name-server 10.10.0.50
ip name-server 10.10.0.49
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn xxxxxxx
!
!
username admin privilege 15 secret 5 xxxxxxxx
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxx address 2xx.xxx.xxx.186
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to2xx.xxx.xxx.186
 set peer 2xx.xxx.xxx.186
 set transform-set ESP-3DES-SHA
 match address 103
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$
 ip address 72.xxx.xxx.169 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
 ip address 192.168.99.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 72.xxx.xxx.174 permanent
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 192.168.99.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.99.0 0.0.0.255 10.10.0.0 0.0.255.255
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
omittied
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

 

VIP Green

You need to add the following

You need to add the following:

access-list 104 permit ip 192.168.99.0 0.0.0.255 10.0.0.0 0.0.0.255

route-map VPN-TRAFFIC
  match address 104

ip nat pool VPN 192.168.36.99 192.168.36.99 netmask 255.255.255.0
ip nat inside source route-map VPN-TRAFFIC pool VPN overload

This will translate traffic from 192.168.99.0/24 destined for 10.0.0.0/24 to the IP of 192.168.36.99.

You can use this same example for the other subnets also...just change the IPs as required.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Green

Also , remember to exempt

Also , remember to exempt traffic from being NATed when configuring for 192.168.90.0/24 subnet.  you have already done this for the 192.168.99.0/24 network.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Thanks for the help. Now the

Thanks for the help.

 

Now the question, why does this need to be done on the router (remote side) and not on the ASA?

 

Mike

VIP Green

It doesn't need to be done at

It doesn't need to be done at the remote side, the effect will be the same whether you do it at the remote side or local. It is just a matter of when/where the translation takes place.  Some say that it is a "cleaner" configuration if you do the NAT before it enters the tunnel.  This really depends on who you are talking to of course.

If you did not have control of the remote site then your only option is to configure NAT at your local ASA.  But since you do have control of the remote side, you have the option to do NAT there.

If you do NAT at the remote site, then you would need to add the translated addresses into the crypto ACL of both devices. If you do NAT locally then you would have the actual IPs in the crypto ACL instead.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

I would like to do all of

I would like to do all of this on the ASA and not at the individual sites so if something changes I just have to work on the ASA and not 28+ sites.

 

I will post what I think I need to configure for review as I am a little confused between the router config and the ASA config......

Stay tuned and thanks for your help.

I will rate the posts after I got this...

 

Mike

I am now confusing myself and

I am now confusing myself and it could be I am not asking the question correctly or explaining what I need or I have setup.

So lets start over a little.

On the diagram I attached we have no control over the Router MPLS (10.10.0.2)

and on the core switch there is a default route that points to the MPLS router IP address 10.10.0.2 and the MPLS router does not know about 192.168.99.0/24 or the 192.168.90.0/24 networks and does not know where to send it so it gets dropped. We cannot add the subnets to the MPLS router.

 

now I need traffic coming from 10.10.0.0/24 going to 192.168.99.0/24 or 192.168.90.0/24 to get to the ASA where the tunnel terminates and then make it across the tunnel.

 

Next I need the traffic coming from 192.168.99.0/24 or 192.168.90.0/24 to be able to get to the 10.10.0.0/24 network and back.

 

What would be the easiest way to accomplish this and manage it going forward? I have 28+ remote sites that I need to do this for.

 

Mike

 

VIP Green

It could help to know why you

It could help to know why you need to do this.  Do you have overlapping IPs?

If you don't have overlapping IPs, what is the reason you are NATing to a single IP instead of allowing the encrypted domains to cross the VPN?

To answer your question "What would be the easiest way to accomplish this and manage it going forward?"

The easiest way would be to just set up crypto ACLs for each site and the local IP and also set up a nat exempt to stop them from being NATed. And don't bother with NATing the VPN traffic if you can.

But if you have to set this up in this way, then my example in my original post should do the trick.  Here it is again.

object network LAN
  subnet 10.10.0.0 255.255.255.0

object network HOST-192.168.36.90
  host 192.168.36.90

object network NET-192.168.90.0-28
 subnet 192.168.90.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static HOST-192.168.36.90 NET-192.168.90.0-28

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Thank you everyone for all

Thank you everyone for all your help. I have dragged onto something else and did not get a chance to try all this but when I do I will mark solved accordingly.

 

stay tuned.

Rated for all your help.

Mike

Hi Mike ,  Do PAT at remote

Hi Mike , 

 Do PAT at remote location on your router , Build Crypto MAP ACL with PAT IP address on your ASA firewall . 

 Your above configuration cant perform PAT for your VPN network . 

 

HTH

Sandy

1540
Views
40
Helpful
14
Replies
CreatePlease to create content