Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Having Problem in Policy NAT

Hi All,

  Please find my requirements below & the test results.

Existing Setup

  • Created site-to-site vpn (Client ASA ~ Data Ceter ASA).
  • Tunnel established. Only Client WRKS-A (192.168.1.1) & Data Center Server-A (10.1.1.1) are in the allowed hosts on VPN ACL
  • Able to transfer files from Client 192.168.1.1 to 10.1.1.1 with no issues.

Requirement

  • Assume a situation where i am taking my Server-A (10.1.1.1) for maintenance for 6hours, until the maintenance is complete, i will have the Server-B (10.1.1.2) in place, so that i need not inform the client to add 10.1.1.2 in his ASA.
  • Since 10.1.1.2 is not in the allowed VPN, i have a POLICY-NATconfiguration in place on the Data Center ASA. So that the files transfer from 192.168.1.1 will not interrupt.

static (inside,outside) 10.1.1.1  access-list CLIENT_VPN_Policy_NAT

access-list CLIENT_VPN_Policy_NAT extended permit ip host 10.1.1.2 host 192.168.1.1

access-list nonat extended permit ip host 10.1.1.1 host 192.168.1.1

    Test Results

    • Sucessful & able to be receive files from 192.168.1.1 to 10.1.1.2 after the policy NAT configuration & hence i decided that i will use this policy NAT configuration for ever so that the client will keep transferring the files only to 10.1.1.2 for ever though 10.1.1.2 is not in his allowed ACL.

    Problem

    • I have an other client 172.16.1.1 on a different vpn tunnel, where i have to permit ONLY 10.1.1.1 to transfer the files from 172.16.1.1. Issue here is, tunnel establishes, but the client is transferring the files to 10.1.1.2 because of a POLICY-NAT for the ip 10.1.1.1 is configured for the previous client.

    Question

    • Why does this POLICY-NAT reflects to the other tunnels when they also use the same IP 10.1.1.1?

    I was assuming that POLICY-NAT will reflect only the tunnel where i configure, but this seems to be reflecting all whomsoever is using 10.1.1.1

    2 REPLIES

    Re: Having Problem in Policy NAT

    This is the default behavior of Policy NAT. For incoming traffic, it won't consider the source IP mentioned in the Policy NAT ACL.

    As a workaround you need to apply filtering via access-lists. By default there is no ACL check for VPN traffic, you have to enable it via sysopt commands.

    Alternateively you can put an outbound ACL on the inside interface, allowing access to 10.1.1.2 from the 192.168.1.1 client only. Don't forget to permit eveything else in the end of the ACL

    Regards

    Farrukh

    Re: Having Problem in Policy NAT

    Thanks Farrukh. Let me try this & shall get back to you some time during next week.

    176
    Views
    0
    Helpful
    2
    Replies