Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
0
Helpful
2
Replies

Destination NAT over IPSEC VPN on ASA

inderpalsogi
Level 1
Level 1

‎12-31-2013 06:51 AM - edited ‎02-21-2020 07:25 PM

We currently have the following scenario with 2 ipsec vpn tunnels setup.

inside LAN = 172.20.136.0/24

Remote Site1 internal LAN = 192.168.1.0/24

Remote Site2 internal LAN = 192.168.2.0/24

The VPN tunnels establish without any issues and I can connect to hosts 192.168.1.10 and 192.168.2.10.

However, to avoid the overlapping problems in the future, normally the Policy NAT is done on the remote end.  This cannot be done as our customers are resistant to make any policy NAT changes at their end.

Therefore, I want to 1:1 NAT  the remote end hosts to the following on my side so I am doing Destination NAT.

static (out,in) 192.168.1.10 172.23.0.1  netmask 255.255.255.255

static (out,in) 192.168.2.10 172.23.1.2  netmask 255.255.255.255

In this case our internal 172.20.136.0/24 will connect to IP addresses 172.23.0.1 or 172.23.1.2 rather than 192.168.1.10 or 192.168.2.10

However, when I try and ping/connect to the destination NATT'd addresses 172.23.0.1 or 172.23.1.2, I get NO reply.  The access-lists are implemented which says allows traffic from 172.20.136.0/24 to 172.23.0/24 and 172.23.1.0/24.

Can someone please confirm where I maybe going wrong.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎12-31-2013 07:23 AM

Hi,

It seems to me that the NAT configuration is otherwise correct but you have to switch the IP addresses the other way around.

The "static" commands format is

nat (sourceint,destint) netmask 255.255.255.255

So the commands should be

static (out,in) 172.23.0.1 192.168.1.10 netmask 255.255.255.255

static (out,in) 172.23.1.2 192.168.2.10 netmask 255.255.255.255

With a little modification you could also configure this as Static Policy PAT that would apply this NAT only when the traffic is between your LAN and these specific hosts but then again I am not sure if its needed in this case.

Hope this helps

- Jouni

0 Helpful

inderpalsogi
Level 1
Level 1
In response to Jouni Forss

‎12-31-2013 07:31 AM

Sorry my original statements should have read as: -

static (out,in) 172.23.0.1 192.168.1.10 netmask 255.255.255.255

static (out,in) 172.23.1.2 192.168.2.10 netmask 255.255.255.255

As it is 182.168.1.x on the outside and 17.23.0.1 or 1.2 on the inside.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents