Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1923
Views
0
Helpful
7
Replies

Policy NAT for AH/ESP and tcp

Go to solution
geraghtyconor
Level 1
Level 1

‎07-16-2012 03:19 AM - edited ‎03-11-2019 04:31 PM

Hello all,

is it possible to policy NAT for AH/ESP and tcp on the same single IP address (two different protocol types)?

Objective = pass an IPSEC VPN through (not terminate) an ASA 5500 and share that public with another circuit.

i.e.

static (inside,outside) tcp 1.2.3.4 25 172.20.1.1 8080 netmask 255.255.255.255

!NAT anything arriving on my public 1.2.3.4 with dst port 25 to 172.20.1.1 port 8080 inside my LAN

!

static (inside,outside) AH 1.2.3.4  172.20.1.2 AH netmask 255.255.255.255

static (inside,outside) ESP 1.2.3.4  172.20.1.2 ESP netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4  500 172.20.1.2 500 netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4 4500 172.20.1.2 4500 netmask 255.255.255.255

!Pass an IPSEC tunnel through firewall to termination point 172.20.1.2 = 1.2.3.4 can be used for two circuits.

Thank you in advance.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-16-2012 09:08 AM

I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-17-2012 12:48 AM

Hi ,

Yes you can have the ACL like that i suggest you can go for PAT.

nat (inside) 1 access-list policyNAT-share

global (outside) 1 1.2.3.4

so all the traffic matches the acl rule will get translated accordingly.

like the above and it should work then. Please try that let me know if that works or not.

Please do rating if the given info helps you.

By

Karthik

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-17-2012 04:11 AM

yes... you can make any number subjected to your present configuration.

Please do rating if the given info helps.

By

Karthik

View solution in original post

0 Helpful
7 Replies 7

Go to solution
geraghtyconor
Level 1
Level 1

‎07-16-2012 07:57 AM

I.e. I want to use one of my Public facing IP addresses to accept two circuits for static NAT

1 To NAT an IPSEC circuit to a IPSEC termination device on my private LAN (AH, ESP, udp 500 and udp 4500)

2: To NAT a tcp circuit to a different device on my private network.

Or;

Can the ASA 5500 policy NAT the above on one IP address on my outside interface to two inside devices (tcp traffic to device A and IPSEC traffic to device B) ???

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-16-2012 09:08 AM

I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.

0 Helpful

Go to solution
geraghtyconor
Level 1
Level 1
In response to nkarthikeyan

‎07-17-2012 12:18 AM

I want to use 1 public IP address NATTed to 2 internal private IP addresses.

1: NAT an IPSEC circuit terminating on 172.20.1.2 and appears as 1.2.3.4 on the Internet

2: NAT a tcp circuit to 172.20.1.1 8080 for traffic arriving on 1.2.3.4 on port 25.

!Like this??

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500  host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

!

static (inside,outside) 1.2.3.4 access-list policyNAT-share

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-17-2012 12:48 AM

Hi ,

Yes you can have the ACL like that i suggest you can go for PAT.

nat (inside) 1 access-list policyNAT-share

global (outside) 1 1.2.3.4

so all the traffic matches the acl rule will get translated accordingly.

like the above and it should work then. Please try that let me know if that works or not.

Please do rating if the given info helps you.

By

Karthik

0 Helpful

Go to solution
geraghtyconor
Level 1
Level 1
In response to nkarthikeyan

‎07-17-2012 03:12 AM

!I have used global (outside) 1 and 2 already. This is what I was thinking.

!

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500  host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

!

nat (inside) 3 access-list policyNAT-share

!

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!

!??????

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to geraghtyconor

‎07-17-2012 04:11 AM

yes... you can make any number subjected to your present configuration.

Please do rating if the given info helps.

By

Karthik

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to nkarthikeyan

‎07-19-2012 08:21 PM

Thanks Gera for your rating. Assuming that works for you.

Regards

Karthik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card