Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Statement translation

Hi,

         

I am looking at below NAT statement in our system, but not understanding that what it means or whats the purpose of this statement.

This NAT statement is on VPN ASA and I understand that it means ANYsource traffic on OUTSIDE interface hitting OUTSIDE interface towards destination NETWORK_OBJ_192.168.1.0_24, its source and destination will remain same.

But what’s the purpose of this statement?

nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

nat (Outside,Outside) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 no-proxy-arp route-lookup

Thanks

  • Firewalling
Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

NAT Statement translation

Hi,

With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way

object network VPN-1

subnet 192.168.1.0 255.255.255.0

object network VPN-2

subnet 192.168.2.0 255.255.255.0

nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2

This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.

Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN

The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.

- Jouni

4 REPLIES
Super Bronze

Re: NAT Statement translation

Hi,

Though I wouldn't configure it in that way it seems that this configuration is meant to enable traffic between 2 different VPN connections. It might be traffic from one L2L VPN to another or from VPN Client to L2L VPN.

It looks for any traffic coming from behind "OUTSIDE" towards the networks 192.168.1.0/24 and 192.168.2.0/24 that are also located behind interface "OUTSIDE" and says that no NAT should be performed for either the source or the destination. Same naturally applies in the reverse direction.

So networks 192.168.1.0/24 and 192.168.2.0/24 are probably some remote locations or VPN Pool networks on your ASA

Hope this helps

- Jouni

New Member

NAT Statement translation

Thanks,

You are right that 192.168.1.0/24 and 192.168.2.0/24 are VPN pool networks associated to VPN clients.

As per your recommendation, how you will prefer to configure it.

Thanks

New Member

Re: NAT Statement translation

Anyone able to reply  above query. Thanks

Super Bronze

NAT Statement translation

Hi,

With regards to the NAT0 configuration for the traffic between the 2 VPN networks I would configure in the following way

object network VPN-1

subnet 192.168.1.0 255.255.255.0

object network VPN-2

subnet 192.168.2.0 255.255.255.0

nat (OUTSIDE,OUTSIDE) source static VPN-1 VPN-1 destination static VPN-2 VPN-2

This should handle the NAT0 between these 2 VPN networks without resorting to 2 "nat" commands.

Of the 2 other configurations you mention next the first one seems to be a normal Dynamic PAT configuration between LAN and WAN

The second configuration seems a bit odd and I would have to guess that its result of a automatic NAT conversion perhaps? Have you updated the software on this ASA unit from older 8.2 (or older) software? It might be related to having "nat-control" setting on the old software. I am however not 100% sure as I convert the configurations manually.

- Jouni

156
Views
0
Helpful
4
Replies