Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT through vpn tunnel

Hi all

If I want to NAT to a pool via a vpn tunnel on my ASA, is this OK?

I have done a nat from the original source addresses, destination original

then translates to source pool of addresses, destination original

Do I base my VPN tunnel phase 2 networks on the Natted address ?

cheers

Carl

1 REPLY
Super Bronze

Re: NAT through vpn tunnel

Hi,

If your Internet connection and VPN use the same interface on the ASA (which they usually do) then you should configure a Dynamic Policy NAT. You will have to specify the destination networks as the remote L2L VPN networks.

The reason for this is simply that if you might cause this translation to apply to your users Internet traffic and therefore potentially NAT them to a Private NAT pool and prevent Internet connecitivity.

And yes, you will use your NATed source address as the source for the L2L VPN interesting traffic in the Crypto ACL.

I am not sure what software you are using but the basic configuration format (that can differ depending on your current NAT configuration) could be

Software 8.2 (and older)

global (outside) 200 1.1.1.1-1.1.1.253

global (outside) 200 1.1.1.254

access-list POLICY-NAT permit ip

nat (inside) 200 access-list POLICY-NAT

Software 8.3 (and above)

object network NAT-POOL

range 1.1.1.1 1.1.1.253

object network PAT-ADDRESS

host 1.1.1.254

object-group network DYNAMIC-NAT-PAT

network-object object NAT-POOL

network-object object PAT-ADDRESS

object-group network SOURCE-NETWORKS

network-object 10.10.10.0 255.255.255.0

object-group network DESTINATION-NETWORKS

network-object 192.168.10.0 255.255.255.0

nat (inside,outside) after-auto 1 source dynamic SOURCE-NETWORKS DYNAMIC-NAT-PAT destination static DESTINATION-NETWORKS DESTINATION-NETWORKS

The above configurations are just rough examples of what the Dynamic NAT (+ PAT Overload) might look like on the ASA depending on the software

The PAT address is added here just incase the Pool is smaller than the source networks address space. Otherwise NAT pool might run out and connections could start failing.

Both configurations should be modified according to current configurations so that they are applied correctly.

- Jouni

154
Views
0
Helpful
1
Replies
CreatePlease to create content