Solved: NAT Statement translation

raza555 · ‎02-07-2014

Hi,

I am looking at below NAT statement in our system, but not understanding that what it means or whats the purpose of this statement.

This NAT statement is on VPN ASA and I understand that it means ANYsource traffic on OUTSIDE interface hitting OUTSIDE interface towards destination NETWORK_OBJ_192.168.1.0_24, its source and destination will remain same.

But what’s the purpose of this statement?

nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup

Thanks

Jouni Forss · ‎02-27-2014

Hi,

With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way

object network VPN-1

subnet 192.168.1.0 255.255.255.0

object network VPN-2

subnet 192.168.2.0 255.255.255.0

nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2

This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.

Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN

The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.

- Jouni

View solution in original post

Jouni Forss · ‎02-07-2014

Hi,

Though I wouldn't configure it in that way it seems that this configuration is meant to enable traffic between 2 different VPN connections. It might be traffic from one L2L VPN to another or from VPN Client to L2L VPN.

It looks for any traffic coming from behind "OUTSIDE" towards the networks 192.168.1.0/24 and 192.168.2.0/24 that are also located behind interface "OUTSIDE" and says that no NAT should be performed for either the source or the destination. Same naturally applies in the reverse direction.

So networks 192.168.1.0/24 and 192.168.2.0/24 are probably some remote locations or VPN Pool networks on your ASA

Hope this helps

- Jouni

raza555 · ‎02-07-2014

Thanks,

You are right that 192.168.1.0/24 and 192.168.2.0/24 are VPN pool networks associated to VPN clients.

As per your recommendation, how you will prefer to configure it.

Thanks

raza555 · ‎02-27-2014

Anyone able to reply above query. Thanks

Jouni Forss · ‎02-27-2014

Hi,

With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way

object network VPN-1

subnet 192.168.1.0 255.255.255.0

object network VPN-2

subnet 192.168.2.0 255.255.255.0

nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2

This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.

Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN

The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.

- Jouni