Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Single address NAT from VPN

Hi All,

I have a scenario I have been trying to work out how to do and just cannot work out. I am sure someone on here with a lot more experience then me will answer this very easily.

We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.

We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.

We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.

I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.

My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.

For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.

My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.

Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.

Many thanks in advance.

Steve

4 REPLIES

Single address NAT from VPN

Hello Lang,

The nat for that would be like this:

nat (outside) 11 172.16.148.0  255.255.252.0 outside

global (inside) 11 10.110.131.200

So all users on the outside from the subnet 172.16.148.0 /22 will be natted to the inside to 10.110.131.200

Hope this helps ( Do not forget the keyword outside on the nat (outside)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Single address NAT from VPN

Many thanks for that but I have a question.

Will that only NAT if the request is destined for the 10.110.18.0 subnet. There are actually other VPNs connected to the firewall where it needs to keep it's original IP address of 172.16.148.0. The only time it should NAT is if it is going on to the 10.110.18.0 subnet.

Super Bronze

Re: Single address NAT from VPN

Hi,

Then you should do a Policy NAT from outside to inside specifying the traffic with access-list

In this case using the above example the configuration would look something like this

access-list VPN-POLICY-NAT permit ip 172.16.148.0 255.255.252.0 10.110.18.0 255.255.255.0

global (inside) 11 10.110.131.200

nat (outside) 11 access-list VPN-POLICY-NAT

The above configurations access-list tells the ASA to apply the NAT of ID 11 only when traffic is coming from outside interface from network 172.16.148.0/22 to inside network 10.110.18.0/24.

To my knowledge the only thing that could override this configuration would be a NAT0/NAT Exempt configuration if it is somehow overlapping the above networks.

Please feel free to correct me but the above NAT configuration seemed to me what you were looking for

- Jouni

New Member

Re: Single address NAT from VPN

Many thanks for all your help. The commands that worked in the end were:

access-list VPN-POLICY-NAT permit ip 172.16.148.0 255.255.252.0 10.110.18.0 255.255.255.0

global (outside) 11 10.110.131.200 netmask 255.255.255.255

nat (outside) 11 access-list VPN-POLICY-NAT

So very similar except it was (outside) instead of (inside) on the global command. I couldn't have worked it out without the help from you guys.

Best Regards

Steve

326
Views
0
Helpful
4
Replies
CreatePlease to create content