Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa 5520 nat/ipsec/vpn order of operation?

Does anyone know the order of operation of NAT and IPSec on ASA5520 ver 7.0(4)?

outside (Internet) <==> asa5520 <==> dmz

______________________________<==> inside

What I'm looking for is the normal order of operation of the features when establishing a site-site vpn using ipsec, with nat of a host on the dmz to a public address on the ASA's internet facing interface? The IPSec VPN will be initiated from a variety of places on the Internet, all to a public address on the outside.

Then based on destination port, natting to a static host on the dmz / inside.

I'm having trouble with the order of acl execution: should the source address in the NAT stmt be the public address of the source and the destination the dmz or inside host, or vice versa? In the config snippet below, I think the acl list1 has the addresses reveresed -- but it seems to work. Is the nat hapening when the traffic enters/exits the dmz/inside or when it crosses the outside i/f? If when it crosses the outside i/f, does nat happen before or after the encryption when in or outbound?

I'm somewhat confused......

using the commandS:

interface gig0/0

name outside

interface gig1/0.110

vlan inside

name inside

interface gig1/0.120

vlan 120

name dmz

access-list list1 extended permit tcp host <private_ip> eq <tcp_port> host <public_source_ip>

static (dmz,outside) tcp <my_public_ip> <tcp_port> access-list list1

access-list list1_cryptomap_20 extended permit tcp host <my_public_ip> host <public_source_ip>

crypto map outside_map 34 match address list1_cryptomap_20

crypto map outside_map 34 set peer <peer_public_ip>

crypto map outside_map 34 set transform-set ESP-3DES-SHA

crypto map outside_map 34 set security-association lifetime seconds 43200

tunnel-group <peer_public_ip> type ipsec-l2l

tunnel-group <peer_public_ip> ipsec-attributes

pre-shared-key <psk>

thanks,

Jason

4 REPLIES

Re: asa 5520 nat/ipsec/vpn order of operation?

Jason,

This seems like a fairly odd request. From what I'm understanding is that you would like to encrypt your client traffic comming to your publicly natted ip address's of your DMZ servers. You do realize that when you nat them they become publicly available for other people to connect to them as long as there is an access-list applied to that external interface. That being said we can answer you questions.

Pix's are kind of weird with the static mappings. Basically they get reversed why they did this who knows. So your mapping address's from interface A to interface B you would then flip the actual address's and put ip address off interface B first and the ip address off of interface A second.

Example:

static (intA, intB) intBaddy intAaddy

Your cryptomap should be permit your outside hosts with the vpn client to your public ip address's that your going to be natting. Lets say you have a host comming from 1.1.1.1,1.2.2.2,1.3.3.3 and your outside natted ip address is 123.123.123.123 your access-list would be as follows:

access-list list1_cryptomap_20 extended permit tcp host 1.1.1.1 host 123.123.123.123

access-list list1_cryptomap_20 extended permit tcp host 1.2.2.2 host 123.123.123.123

access-list list1_cryptomap_20 extended permit tcp host 1.3.3.3 host 123.123.123.123

Other than that it looks right.

Once your vpn is established you'll still need to setup an access-list on the external interface to allow this traffic to the natted ip address.

Patrick

New Member

Re: asa 5520 nat/ipsec/vpn order of operation?

Patrick,

you said:"You do realize that when you nat them they become publicly available for other people to connect to them as long as there is an access-list applied to that external interface."

Doesn't my acl "access-list list1 extended permit tcp host eq host " limit the nat to only permiting traffic from the to the and only when the tcp port is ? (note, the addresses are reversed as you mention)

maybe I should try to explain better... :)

We want to be able to have customers establish site-site VPNs only from known peers (i.e. static) to our public address.

Then, we want the traffic inside that IPSec VPN to come from a host on their side (That has been natted to a public address) to a public (outside) address of our server.

That traffic then gets NATed to the private address of our host (on either the DMZ or Inside interfaces), but only if the traffic is from a staticlly defined public source destined for the outside address/port combination.\

The problem I'm having is that the traffic will not pass the crypto map acl.

insights for this ASA5520 n00b?

tnx,

J.

Gold

Re: asa 5520 nat/ipsec/vpn order of operation?

please excuse me for not reading the entire conversation.

below is the order of nat:

1. nat exemptions (nat 0 access-list commands)

2. policy nat (static access-list commands)

3. static nat (static commands without port numbers)

4. static pat (static commands with port numbers)

5. policy nat (nat nat_id access-list commands)

6. dynamic nat and pat (nat nat_id commands)

sourced from ciscopress "cisco asa and pix firewall handbook".

New Member

Re: asa 5520 nat/ipsec/vpn order of operation?

Jackko,

That is great info, thank you.

Te original question, tho, is the order of operation of NAT, IPSec(VPNs).

for example, I have traffic hitting my outside interface (public internet) from a known public source IP. I want that traffic to be encap in IPSec. Also, the traffic is destined for a host on my dmz or inside interfaces, which use private addresses.

So, does the NAT acl get hit first, or the crypto acl?

tnx,

Jason

1396
Views
4
Helpful
4
Replies
CreatePlease to create content