Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 8.3 - site to site VPN with NAT

Hi All.

I am trying to create a site to site vpn. except it's not the usual setup. the 3rd party have requested we NAT all our inside source addresses to a single address before sedning it over the tunnel, this i beleive is due to them wanting to avoid network overlaps on their end as they have loads of VPNs.

so the flow we have is as follows:

multiple internal subnets ---> NAT to single address ---> VPN ----->Servers with outside addresses

with example IP's::

10.0.1.0/24

10.0.2.0/24  ----> NAT 1.1.1.1 -----> Over VPN------> 2.2.2.1 and/or 2.2.2.2

10.0.3.0/24

so the config i have is as follows:

object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1

object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2

nat (inside,outside) source static vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations

access-list VPNACL extended permit ip object-group vpnsourcesubnets-nat object-group vpndestinations

So regarding the above i have a few question:

1. a) should i be making the nat statement dynamic rather than static? should this be configured as dynamic nat or dynamic pat? i come to the conlcusion it should be dynamic pat as its one address and multiple hosts but i haven't seen any configuration guides with layouts like that so im uncertain. .... if i do need to change it, how would this refelct in the config?

2. should the ACL be basing its permissions on the pre-nat addresses or post nat? i've seen a few config example but none of them seem to be consistent, one will say post nat others will say pre-nat.

3. we have multple manual nat statements within section 1 on the ASA that look like this:

nat (inside,outside) source static any any destination static nonat-rfc1918 nonat-rfc1918

nat (inside,outside) source dynamic any interface

should i be placing my nat statement above this? could this cause any trouble?

Would love to hear your feedback on this.

thanks in advance.

6 REPLIES

ASA 8.3 Dynamic NAT/PAT - VPN

"a) should i be making the nat statement dynamic rather than static?" it should be dynamic PAT.

Please post your config requirement, I will compile it for you.

Thanks

Rizwan Rafeek

Community Member

ASA 8.3 Dynamic NAT/PAT - VPN

Thanks for your respnse rizwaan.

To clarify, i'm building this vpn on a production ASA, it' up and running already with other vpns configured. I'm just having trouble with this setup. Trying to figure out what i'm doing wrong.

do you have any feedback on my other questions?

ASA 8.3 Dynamic NAT/PAT - VPN

"should the ACL be basing its permissions on the pre-nat addresses or post nat?" It is pre-nat.

Hope that answer your question.

thanks

Community Member

ASA 8.3 - site to site VPN with NAT

So the following would be they way to configure it?

object-group network vpnsourcesubnets

network-object 10.0.1.0 255.255.255.0

network-object 10.0.2.0 255.255.255.0

network-object 10.0.3.0 255.255.255.0

object-group network vpnsourcesubnets-nat

network-object host 1.1.1.1

object-group network vpndestinations

network-object host 2.2.2.1

network-object host 2.2.2.2

nat (inside,outside) source dynamic vpnsourcesubnets vpnsourcesubnets-nat destination static vpndestinations vpndestinations

access-list VPNACL extended permit ip object-group vpnsourcesubnets object-group vpndestinations

ASA 8.3 - site to site VPN with NAT

"So the following would be they way to configure it?" Yes.

Community Member

ASA 8.3 - site to site VPN with NAT

I believe it is going to be one way of tunnel. I have a similar configuration on FW but Client is trying to access our side Network as they are and not the PAT ip address. If the traffic is to be initiated from the other End of the tunnel then, what needs to be done.

1299
Views
0
Helpful
6
Replies
CreatePlease to create content