08-20-2010 07:57 PM - edited 03-11-2019 11:28 AM
Hi Everyone,
Currently there about 120 hosts (10.10.20.0 subnet) in our side that are natted on the outside interface of the firewall. I have created a VPN tunnel that allows 10.10.20.0 and 10.10.30.0 to go through the VPN tunnel by natting it via the vpn interface of the firewall. But those particular hosts do not go through the vpn tunnel since natting is allowed through the outside interface.
Can i allow the entire 10.10.20.0 and 10.10.30.0 to be statically natted via one single IP towards the Tunnel. I realize that static nat is given priority than normal nat. I tested with one static nat 10.10.20.10 --> 192.168.10.50 --> vpn tunnel and it works inspite the 10.10.20.10 is also natted on the outside interface. Now it is going out the vpn tunnel as well as outside since I have assigned policy nat on the static nat to go towards the vpn tunnel. But i cant do this all 120 hosts. It is not practical.
Can i do this
(20.20.20.0) is the remote lan public address
access-list site_to_site_vpn extended permit ip 10.10.20.0 255.255.255.0 20.20.20.0 255.255.255.0
static (inside.vpn) 192.168.3.50 access-list site_site_vpn
Thanks in advance
08-20-2010 08:34 PM
Hi,
I assume your topology is something like this:
outside
/
/
10.10.20.0/24---------ASA
\
\
vpn
So you already have a
nat (inside) 1 10.10.20.0 255.255.255.0
global (outside) 1 interface
Now you would like to policy NAT this 10.10.20.0/24 subnet for the VPN to be NATed to 192.168.3.50 on the vpn interface. If this is what you need then you would need to create a DYNAMIC PAT. The STATIC PAT that you have configured will not work because in the ACL you have specified the source as an entire SUBENT but the translated IP is just one IP address and not a subnet.
Also, you would need a route for the remote VPN subnet 20.20.20.0/24 pointing out the vpn interface.
For information on DYNAMIC PAT, please refefr the document below:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1083287
you will have to specify this ACL site_to_site_vpn on the nat command and a global for the vpn interface. Let me know if it works.
Regards,
Prapanch
08-20-2010 08:41 PM
That was the first method i tried using dynamic PAT with policy nat. But they were not able to ping the tunnel remote lan. when i did a static nat for one of those IPS via the tunnel with policy nat it worked.
Thanks
08-20-2010 08:45 PM
There is another policy nat via dynamic PAT going to the outside interface. So another policy nat will not do the trick
08-20-2010 09:39 PM
Can you run a packet-tracer with the dynamic policy NAT configured? And paste the output here?
Regards,
Prapanch
08-21-2010 12:17 AM
Hello,
If I understand your topology correctly, you have two separate interfaces,
one for VPN and one for outside internet access (please correct me if I am
incorrect). You would like all your internal clients to access the remote
LAN using a different IP. Could you please check the following:
-- Make sure that the firewall has a route statement that points remote
subnets to the VPN interface
router vpn 20.20.20.0 255.255.255.0
-- Make sure that you have a proper NAT statement for the communication
between inside and remote subnet
access-list pnat permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0
access-list pnat permit ip 10.10.30.0 255.255.255.0 20.20.20.0 255.255.255.0
global (vpn) 10 192.168.3.50
nat (inside) 10 access-list pnat
-- Make sure that you have configured your cryptomaps correctly to include
the mapped address (192.168.3.50) on both sides
Once the above steps are verified (on both ends), you should be able to
communicate between the inside clients and the remote subnet without any
issues.
Regards,
NT
08-21-2010 03:54 AM
Hello Nagaraja,
Sorry for not being able to reply quickly. I think what you are asking me to do is a another policy nat with global. Well that will not work as i tried it before. To give you an understanding of the topology.
Internet
|
|
ASA Firewall --------- VPN Router ------- internet
There is a NAT on the outside interface pointing to the Interneton the FW for 120 hosts in that subnet. That is done using policy nat as you mentioned. That is working perfect. Now the customer wants to NAT those 120 hosts through another interface which is via the vpn interface towards the vpn router. Here is cant use policy nat again since it wont work.
So what i came up with is using nat exemption on that interafce for that subnet... What do you reckon?? I tested with static nat with subnets and it wont accept it.
Thanks
08-21-2010 07:33 AM
My doubt is why the static policy NAT is working but not dynamic policy NAT. As Nagaraja said, if you have the route for the remote LAN subnet pointing out through the vpn interface, then both should work. This is the reason why i wanted you to run a packet-tracer with dynamic policy NAT configured so we can see where exactly the packets are getting routed (outside or vpn interface).
Again, just to clarify one thing. If we use a dynamic policy NAT, traffic can be initiated only from your LAN (10.10.20.0) to the remote LAN (20.20.20.0).
Regards,
Prapanch
08-21-2010 08:21 AM
Hello,
So, the VPN is getting terminated on a different device (VPN router). Is
that correct? If the VPN traffic is leaving on a different interface, then
you should be able to apply the Dynamic NAT without any issue as the NAT
rules are applied after determining the exit interface not globally. If you
were not able to PING from your local subnet to remote, based on your
settings, I am assuming that you did not have "inspect icmp" enabled under
the policy map. Can you please give it a try again (dynamic policy) with
ICMP inspection enabled?
Regards,
NT
08-21-2010 04:24 PM
Hello,
inspect icmp is configured on the firewall. If same traffic goes out two interfaces via wont it look at the priority settings? Static NAT is given more priority than regular NAT or policy NAT. So when i configured static NAT is worked because it has higher priority. Unfortunately I cant use static nat since I have to allow 120 hosts individually and it wont accept subnets as the source.
NAT exemption is given higher priority than any thing else.
The nat policy going out is 10.10.20.0 --> any ---> interface outside (Policy nat)
the nat policy on the vpn is 10.10.20.0 --> 20.20.20.0 ----> interface vpn (policy nat) doesnt work only for those 120 hosts otherwise everything else works.
static nat works for hosts included in the outside interface nat.
08-21-2010 04:32 PM
Hello,
Can you please post the relevant NAT configurations here? Also, please post
the output of "show route" command.
Regards,
NT
08-21-2010 09:46 PM
Hi Nagaraja,
nat (inside) 100 access-list nat_outside
global (outside) 100 interface
access-list nat_outside extended permit ip host 10.10.20.1 any
access-list nat_outside extended permit ip host 10.10.20.2 any
access-list nat_outside extended permit ip host 10.10.20.3 any
access-list nat_outside extended permit ip host 10.10.20.4 any
access-list nat_outside extended permit ip host 10.10.20.5 any
access-list nat_outside extended permit ip host 10.10.20.6 any
access-list site_to_site_vpn extended permit ip 10.10.20.0 255.255.255.0 20.20.20.0 255.255.255.0
nat (inside) 1 access-list site_to_site_vpn
global (dmz) 1 192.168.3.50
The above policy nat doesnt have any affect on 10.10.20.5.
access-list static_nat_vpn extended permit ip host 10.10.20.5 20.20.20.0 255.255.255.0
static (inside,dmz) 192.168.3.51 access-list static_nat_vpn
The above static nat now works. Now I can send traffic out the outside interface as well as the dmz interface.
08-22-2010 02:39 AM
Hello,
What kind of traffic are you trying to send from inside to the remote vpn
clients? The only difference between the dynamic NAT that doesn't work and
the one that works is the first one is unidirectional and the second is
bidirectional. I see your point that since the inside-to-outside access-list
also contains the same IP addresses, it may not look at the other dynamic
statements. But, by design, it should not behave that way unless there is
another conflicting NAT statement on the DMZ interface. (Something like
"global (dmz) 100 interface" statement). Can you run a packet tracer (after
putting the dynamic translation back in there and removing the static/nonat
for that traffic) and post the output here? The command would be:
packet-tracer input inside icmp 10.10.20.5 8 0 20.20.20.10 detailed
Regards,
NT
08-22-2010 09:43 PM
HI Nagaraja,
By design both are the same. The static is unidirectional since I have not allowed access-lists to allow outside to enter the dmz. I really cant do much of troubleshooting on this one since its production and have to ask customers consent. But I will get back to you on this one.
Thanks a bunch for your help. Will mail you soon
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: