No NAT over MPLS

burleyman · ‎02-25-2014

I have a MPLS network in the private IP address space 172.16.1.X

One interface connects to a FatPipe appliance and has an IP address of 172.16.1.10 /30 and a gateway of 17216.1.9, the other side of the MPLS connects to a FatPipe appliance and has an IP address of 172.16.1.14 /30 and a gateway of 172.16.1.13. The FatPipe appliance connects on each end to an ASA5510 running asa8.44-1-k8.bin to its outside interface.

Side “R”

FatPipe MPLS interface IP Address: 172.16.1.10 /30

FatPipe LAN interface IP address: 2rr.rr.2rr.193 /29

ASA outside interface IP address: 2rr.rr.2rr.194 /29

ASA inside interface IP address: 10.2.3.254 /24

Inside device: 10.2.2.15

Side “E”

FatPipe MPLS interface IP Address: 172.16.1.14 /30

FatPipe LAN interface IP address: 9e.eee.2ee.12 /29

ASA outside interface IP address: 9e.eee.2ee.13 /29

ASA inside interface IP address: 10.3.3.254 /24

Inside device: 10.3.2.15

What I would like to do is setup communication between the two devices and NOT NAT them, is this possible and how?

burleyman · ‎02-25-2014

This is what I was thinking I would do.

Side "R"

access-list inside_nat0_outbound extended permit ip 10.3.2.0 255.255.255.0 10.2.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Side "E"

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.3.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Jouni Forss · ‎02-25-2014

Hi,

I am not sure I understood the setup.

Are you saying that WAN interface of 2 ASAs at different locations are connected to an ISP device which both provides external connectivity and connection between the 2 sites with the ASAs?

Also are you saying that both ASA firewalls are running the software 8.4(4)1 ? If so then this would mean that the old NAT0 format you mention above would not be supported as the new NAT format was introduced starting 8.3

Typically you would not need to configure any NAT in the new software if you dont want to perform NAT. But in your case I understood that both the outbound Internet traffic and the traffic towards the other site through a MPLS connection uses the same external interface. This would most likely mean that you have Dynamic PAT configuration that would match all traffic outbound from your "inside" network towads "outside" and therefore you would need NAT0 as you are attempting to do.

The typical NAT0 configuration format if you are using 8.3+ software level would be

Side R

object network LAN

subnet 10.3.2.0 255.255.255.0

object network REMOTE-LAN

subnet 10.2.2.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Side E

object network LAN

subnet 10.2.2.0 255.255.255.0

object network REMOTE-LAN

subnet 10.3.2.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

The above configurations would be placed at the top of the NAT configurations and would essentially handle that the traffic between the specified networks would be with the original IP addresses. This is because we define the real/mapped address/network with the same "object" and therefore don't do any NAT.

I would check what the actual network on Side E is since you mention in one place that it would be 10.2.3.0/24 and in the above configuration 10.2.2.0/24

Naturally before any configurations would have to confirm if I understood the setup correctly and if both ASAs are runing the newer software.

Hope this helps

- Jouni

burleyman · ‎02-26-2014

Thanks for the reply.

Yes they are running the 8.4....forgot about the NAT change.

The MPLS only provides site R to Site E connection, there is another circuit that provides internet connection.

I will check out your config and let you know......

thanks again.