07-16-2012 03:19 AM - edited 03-11-2019 04:31 PM
Hello all,
is it possible to policy NAT for AH/ESP and tcp on the same single IP address (two different protocol types)?
Objective = pass an IPSEC VPN through (not terminate) an ASA 5500 and share that public with another circuit.
i.e.
static (inside,outside) tcp 1.2.3.4 25 172.20.1.1 8080 netmask 255.255.255.255
!NAT anything arriving on my public 1.2.3.4 with dst port 25 to 172.20.1.1 port 8080 inside my LAN
!
static (inside,outside) AH 1.2.3.4 172.20.1.2 AH netmask 255.255.255.255
static (inside,outside) ESP 1.2.3.4 172.20.1.2 ESP netmask 255.255.255.255
static (inside,outside) udp 1.2.3.4 500 172.20.1.2 500 netmask 255.255.255.255
static (inside,outside) udp 1.2.3.4 4500 172.20.1.2 4500 netmask 255.255.255.255
!Pass an IPSEC tunnel through firewall to termination point 172.20.1.2 = 1.2.3.4 can be used for two circuits.
Thank you in advance.
Solved! Go to Solution.
07-16-2012 09:08 AM
I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.
07-17-2012 12:48 AM
Hi ,
Yes you can have the ACL like that i suggest you can go for PAT.
nat (inside) 1 access-list policyNAT-share
global (outside) 1 1.2.3.4
so all the traffic matches the acl rule will get translated accordingly.
like the above and it should work then. Please try that let me know if that works or not.
Please do rating if the given info helps you.
By
Karthik
07-17-2012 04:11 AM
yes... you can make any number subjected to your present configuration.
Please do rating if the given info helps.
By
Karthik
07-16-2012 07:57 AM
I.e. I want to use one of my Public facing IP addresses to accept two circuits for static NAT
1 To NAT an IPSEC circuit to a IPSEC termination device on my private LAN (AH, ESP, udp 500 and udp 4500)
2: To NAT a tcp circuit to a different device on my private network.
Or;
Can the ASA 5500 policy NAT the above on one IP address on my outside interface to two inside devices (tcp traffic to device A and IPSEC traffic to device B) ???
07-16-2012 09:08 AM
I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.
07-17-2012 12:18 AM
I want to use 1 public IP address NATTed to 2 internal private IP addresses.
1: NAT an IPSEC circuit terminating on 172.20.1.2 and appears as 1.2.3.4 on the Internet
2: NAT a tcp circuit to 172.20.1.1 8080 for traffic arriving on 1.2.3.4 on port 25.
!Like this??
access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4
access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4
access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500 host 1.2.3.4 eq 500
access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500
!And the other circuit
access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25
!
static (inside,outside) 1.2.3.4 access-list policyNAT-share
07-17-2012 12:48 AM
Hi ,
Yes you can have the ACL like that i suggest you can go for PAT.
nat (inside) 1 access-list policyNAT-share
global (outside) 1 1.2.3.4
so all the traffic matches the acl rule will get translated accordingly.
like the above and it should work then. Please try that let me know if that works or not.
Please do rating if the given info helps you.
By
Karthik
07-17-2012 03:12 AM
!I have used global (outside) 1 and 2 already. This is what I was thinking.
!
access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4
access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4
access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500 host 1.2.3.4 eq 500
access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500
!And the other circuit
access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25
!
nat (inside) 3 access-list policyNAT-share
!
global (outside) 3 1.2.3.4 netmask 255.255.255.255
!
!??????
07-17-2012 04:11 AM
yes... you can make any number subjected to your present configuration.
Please do rating if the given info helps.
By
Karthik
07-19-2012 08:21 PM
Thanks Gera for your rating. Assuming that works for you.
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: