Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
4
Helpful
5
Replies

Policy NAT through VPN problem

jmartin
Level 1
Level 1

‎09-13-2006 09:18 AM - edited ‎02-21-2020 02:37 PM

Hello. I have some policy based NAT rules and static rules in place already that are functioning using some of my external IP addresses. Those NAT rules are used on the majority of my VPN tunnels to clients.

However, I have a new requirement from a client who requires me to NAT my hosts into their tunnel from the 10.20.4.x network. The hosts on my side are the same that are used in my rules already in place. My current config looks like this:

access-list SMTPNATout1 permit ip host 10.1.3.121 any

access-list SMTPNATout1 permit ip host 10.1.3.122 any

access-list VPNFilter1 permit ip host 10.20.4.1 host a.a.a.100

access-list VPNFilter1 permit ip host 10.20.4.2 host a.a.a.100

access-list SMTPNATout2 permit ip host 10.1.3.121 a.a.0.0 255.255.0.0

access-list SMTPNATout2 permit ip host 10.1.3.122 a.a.0.0 255.255.0.0

global (outside) 5 x.x.x.32

global (outside) 50 10.20.4.2

nat (inside) 5 access-list SMTPNATout1 0 0

nat (inside) 50 access-list SMTPNATout2 0 0

static (inside,outside) tcp x.x.x.32 smtp 10.1.6.96 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 10.20.4.2 smtp 10.1.6.196 smtp netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.180 10.1.4.40 netmask 255.255.255.255 0 0

static (inside,outside) 10.20.4.1 10.1.4.140 netmask 255.255.255.255 0 0

I am able to use secondary internal IP's on the hosts that need the static connections and that works just fine. It is the two hosts in the SMTPNATout rules that are not working correctly when tyring to get them to NAT as the 10.20.4.2 address when sending into the tunnel towards the client destination. Any advice would be appreciated. Thanks...

Labels:
0 Helpful
5 Replies 5

fred.s.mollenkopf
Level 7
Level 7

‎09-13-2006 10:04 AM

Joe,

I cannot remember the order of operation and matching criteria off the top of my head but technically your outbound traffic could match on both Policy NAT ACLs. If the PIX continues after a match to find a better canidate then you are fine, but if it trys statement 5 and then matches/executes then you wont. Try adding on your original NAT deny statements for the new networks. Example below.

access-list SMTPNATout1 deny ip host 10.1.3.121 a.a.0.0 255.255.0.0

access-list SMTPNATout1 deny ip host 10.1.3.122 a.a.0.0 255.255.0.0

access-list SMTPNATout1 permit ip host 10.1.3.121 any

access-list SMTPNATout1 permit ip host 10.1.3.122 any

Again this is just a logical observation from me and not sure exactly the match process for Policy NAT. Hopefully this wont match on ACL 1 and then match on ACL 2 if this was indeed the problem. You should be able to determine this via a sh xlate.

Please rate any helpful posts.

Thanks

Fred

0 Helpful

fred.s.mollenkopf
Level 7
Level 7

‎09-13-2006 10:08 AM

Thinking about this further, I have had a NAT (inside) 1 and say a NAT (inside) 2 with the NAT 1 a generic network and the NAT 2 a specific net, and this did work. So my last post is probably irrelevant and still not totally sure of the selection criteria. If I think of something else, I will post it.

Thanks

Fred

0 Helpful

jmartin
Level 1
Level 1
In response to fred.s.mollenkopf

‎09-14-2006 06:27 AM

It is hitting the 5 policy NAT and translating out as that x.x.x.32 IP and not going through the VPN tunnel. I have tried putting the 50 policy in as a lower number than 5 and that did not make a difference even after clearing the xlate table.

I'm at a loss at what to try next. I could give my internal hosts secondary IP addresses to work from but that seems more complicated than making a working rule set on the PIX...

0 Helpful

huynhkhay
Level 1
Level 1
In response to jmartin

‎09-15-2006 02:20 AM

Hi,

if Policy NAT 5 comes before the policy NAT 50 you want, maybe you can try to modify your rule n?5 :

Instead of being a policy NAT, use a regular NAT:

replace :

nat (inside) 5 access-list SMTPNATout1 0 0

global (outside) 5 x.x.x.32

by :

nat (inside) 5 10.1.3.121 255.255.255.255

nat (inside) 5 10.1.3.122 255.255.255.255

global (outside) 5 x.x.x.32

Since the order of NAT Commands Used to Match Real Addresses is:

1. NAT exemption (nat 0 access-list)

2. Static NAT and Static PAT (regular and policy) (static)

3. Policy dynamic NAT (nat access-list)

4. Regular dynamic NAT (nat)

, your PIX will match rule n?50 (a policy NAT) before rule n?5 (a regular NAT)

Thanks you for letting us know if it helps.

Khay

jmartin
Level 1
Level 1
In response to huynhkhay

‎09-15-2006 06:05 AM

Thanks. I was able to find the Cisco doc that explained in detail that ordering of the NAT commands you posted. I will probably try it this weekend with the way mentioned because even when I make rule 50 a lower number like 4 and run clear xlate it still does not work like I believe it should...

Joe

0 Helpful
Customers Also Viewed These Support Documents