Does anyone know the order of operation of NAT and IPSec on ASA5520 ver 7.0(4)?
outside (Internet) <==> asa5520 <==> dmz
What I'm looking for is the normal order of operation of the features when establishing a site-site vpn using ipsec, with nat of a host on the dmz to a public address on the ASA's internet facing interface? The IPSec VPN will be initiated from a variety of places on the Internet, all to a public address on the outside.
Then based on destination port, natting to a static host on the dmz / inside.
I'm having trouble with the order of acl execution: should the source address in the NAT stmt be the public address of the source and the destination the dmz or inside host, or vice versa? In the config snippet below, I think the acl list1 has the addresses reveresed -- but it seems to work. Is the nat hapening when the traffic enters/exits the dmz/inside or when it crosses the outside i/f? If when it crosses the outside i/f, does nat happen before or after the encryption when in or outbound?
This seems like a fairly odd request. From what I'm understanding is that you would like to encrypt your client traffic comming to your publicly natted ip address's of your DMZ servers. You do realize that when you nat them they become publicly available for other people to connect to them as long as there is an access-list applied to that external interface. That being said we can answer you questions.
Pix's are kind of weird with the static mappings. Basically they get reversed why they did this who knows. So your mapping address's from interface A to interface B you would then flip the actual address's and put ip address off interface B first and the ip address off of interface A second.
static (intA, intB) intBaddy intAaddy
Your cryptomap should be permit your outside hosts with the vpn client to your public ip address's that your going to be natting. Lets say you have a host comming from 188.8.131.52,184.108.40.206,220.127.116.11 and your outside natted ip address is 18.104.22.168 your access-list would be as follows:
you said:"You do realize that when you nat them they become publicly available for other people to connect to them as long as there is an access-list applied to that external interface."
Doesn't my acl "access-list list1 extended permit tcp host eq host " limit the nat to only permiting traffic from the to the and only when the tcp port is ? (note, the addresses are reversed as you mention)
maybe I should try to explain better... :)
We want to be able to have customers establish site-site VPNs only from known peers (i.e. static) to our public address.
Then, we want the traffic inside that IPSec VPN to come from a host on their side (That has been natted to a public address) to a public (outside) address of our server.
That traffic then gets NATed to the private address of our host (on either the DMZ or Inside interfaces), but only if the traffic is from a staticlly defined public source destined for the outside address/port combination.\
The problem I'm having is that the traffic will not pass the crypto map acl.
Te original question, tho, is the order of operation of NAT, IPSec(VPNs).
for example, I have traffic hitting my outside interface (public internet) from a known public source IP. I want that traffic to be encap in IPSec. Also, the traffic is destined for a host on my dmz or inside interfaces, which use private addresses.
So, does the NAT acl get hit first, or the crypto acl?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :