We recently engaged with a third party vendor that required us to setup 3 L2L VPN connections from a single host on our network to 3 remote end hosts. Due to our internal private address space in use overlapping with their address space we had to NAT our host to a different private address. Normally this is relatively easy to configure but we encountered complications because our headend VPN firewall (ASA 5520) is also a VPN headend device for remote branch offices that connect from dynamic addresses with the added complexity of all internet browsing traffic has to go through the VPN tunnel. To accommodate this, we have a general NAT exemption rule configured as any/any.
We searched through many configuration examples but found most were based on an assumption the firewall configuration only implemented L2L VPNs with NAT or without NAT (NAT exemption). We had to figure out a hybrid of these scenarios and I thought I would share our findings that made this work.
We have a single ASA 5520 acting as our L2L VPN headend device at our headquarters
We have already established L2L VPN configurations to branch offices that the peer address is dynamic
We also have already established L2L VPN configurations for branch offices that the peer address is static
We needed to NAT a single host at our headquarters to a specific private IP in a VPN tunnel to a third party
The first thing that needs to be done is a No Exempt rule needed to be created to exclude the internal host from the NAT exemption when communicating with the third party hosts. The following config excerpts shows how this was accomplished. IP addresses and specific names have been changed for obvious reasons .
! Setup third party addresses as a object group for easier reference
object-group network THIRD_PARTY
description CompanyABC Remote Hosts
network-object host 172.16.1.4
network-object host 172.16.1.5
network-object host 172.16.1.6
! Exclude the specifics for the third party connection from the NAT exemption rules
access-list inside_nat0_outbound extended deny ip host 10.1.1.10 object-group THIRD_PARTY
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 any
! Define the access-list for determining the static NAT
access-list inside_nat_static extended permit ip host 10.1.1.10 object-group THIRD_PARTY
! Define the 3 access-lists to be used in the 3 crypto maps
access-list outside_3_cryptomap extended permit ip host 172.16.1.2 host 172.16.1.4
access-list outside_4_cryptomap extended permit ip host 172.16.1.2 host 172.16.1.5
access-list outside_5_cryptomap extended permit ip host 172.16.1.2 host 172.16.1.6
! TURN ON NAT (Overlooked this one too many times ;-))