Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
6
Replies

NAT Scenario

Go to solution
Maro.Cisco
Level 1
Level 1

‎07-24-2013 07:41 AM

Dears ,

I'm seeking help for this below IPSEC VPN scenario :-

  • Please note that request from both sides that no Private IP's are allowed , meaning that VPN setup will need both Server and Remote server to use public ips and public ips to estabilish the tunnel as well.Anyways in the below all i care about is the Server local side not the remote one.

Server(172.16.5.8)-------(172.16.5.1)Core switch(172.16.55.2)-----L2 switch----(172.16.55.1)VPN Concentrator(192.168.3.2)-------L2 switch----(192.168.3.1)PIX(Public VPN Peer :x.x.x.x)----Internet------(Public VPN Peer: y.y.y.y)Remote Site--------(Public IP f.f.f.f)Remote Server

1) The VPN configuration will be made on the VPN concentrator as PIX is running using context therefore VPN termination will not be allowed.

2) Since the vpn tunnel will be configured on VPN concentrator using the interface with ip 192.168.3.2 a NAT will be made on the PIX to the public IP x.x.x.x   (VPN Tunnel estabilished without any problem)

3)A part from the x.x.x.x public ip which will be used to estabilish the vpn tunnel , i have another another public ip z.z.z.z which is available as exist interface on PIX my question is here can i nat 172.16.5.8 to Public IP z.z.z.z. (Talking about the ipsec traffic remember both side restricting that traffic must be sourced from public IP)

Conculsion

i think it will not work because packet when its going to 1) VPN concentrator will have source : 172.16.5.8 and destination : f.f.f.f , 2)
when traffic going out of VPN toward the PIX the packet will have source : 192.168.3.2 and destination of Remote server Public IP y.y.y.y 3)when it arrive to the pix as configured 192.168.3.2 will be nated to x.x.x.x and destination will be y.y.y.y. So PIX will not be able to nat 172.16.5.8 to z.z.z.z since it will be already encrypted by ESP please correct me if im right

incase if im right what can i do in this case????

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-24-2013 07:57 AM

Hi,

I have to begin by saying that I have absolutely no expirience configuring NAT on the VPN Concentrators.

If the VPN Concentrator is able to do the NAT before the VPN negotiation (which I presume it can) then you should be able to use any IP address you want as the NAT IP address of your local server behind the concentrator.

The remote end just has to also make sure that the IP address you have chosen as the NAT IP address will be used as their destination IP address in the L2L VPN configurations

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-24-2013 08:12 AM

Hi,

Yes, I dont really think its possible to any kind of NAT on the PIX as its not doing the actual VPN.

There is nothing special about choosing a random IP address to be used on an ASA doing VPN for example. Sometimes I personally run into situation where the remote end wants a specific IP address to be used as the source IP address for the L2L VPN on our side.

So I simply NAT a server or all users to a single IP address (that is not configured on any ASA interface) and use that IP address in the L2L VPN configurations when defining the local and remote networks.

Naturally in those cases the NAT configuration is always a Policy NAT/PAT configuration as if I were to do a normal NAT/PAT configuration, it might start applying for traffic other than the traffic that is supposed to head through the L2L VPN.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-24-2013 08:30 AM

Hi,

Well its very common to be honest.

Many customers have multiple public subnets on their ASA firewall which is located on the edge of their network. As you might know, the ASA can only hold a single subnet on its physical interface.

Though this does not stop the customer from using a public subnet on their ASA that is not configured on its interface.

The way its handled is either by the ISP routing the extra subnet towards the current ASA outside interface IP address or the ISP has directly configured that public subnet on their gateway interface as a "secondary" network.

Either way you will be able to configure Static NATs , Dynamic PATs and any other NAT using those IP address from the other subnet.

In the case of your VPN I cant really comment on how (and if) the NAT can be configured as I have really not used Cisco VPN Concentrators. But there should be no problem using a random IP address to NAT the traffic bound to the L2L VPN connections as that IP address WONT BE VISIBLE to the PIX or any Internet router as its encapsulated/encrypted traffic.

PIX will see the packets from the IP address of the VPN Concentrator and the Internet gateway will see packets coming from the NAT IP address of the VPN Concentrator (the NAT done on the PIX). When the packet reaches the remote end and is decapsulated and decrypted it will then be visible to the remote end with the NAT IP address used on the VPN Concentrator.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-24-2013 07:57 AM

Hi,

I have to begin by saying that I have absolutely no expirience configuring NAT on the VPN Concentrators.

If the VPN Concentrator is able to do the NAT before the VPN negotiation (which I presume it can) then you should be able to use any IP address you want as the NAT IP address of your local server behind the concentrator.

The remote end just has to also make sure that the IP address you have chosen as the NAT IP address will be used as their destination IP address in the L2L VPN configurations

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-24-2013 08:05 AM

but then am i correct about the packet flow steps (1,2,3) from VPN concentrator to the other end also nating the server IP after the VPN negotitation will not be possible to be done by the PIX.

Also what if i dont have any public IP that is available on the VPN concentrator then i wont be able to do any NAT

because lets say on the VPN concentrator i decided to NAT 172.16.5.8 to public IP W.W.W.W which must be configured on the concentrator?? 

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-24-2013 08:12 AM

Hi,

Yes, I dont really think its possible to any kind of NAT on the PIX as its not doing the actual VPN.

There is nothing special about choosing a random IP address to be used on an ASA doing VPN for example. Sometimes I personally run into situation where the remote end wants a specific IP address to be used as the source IP address for the L2L VPN on our side.

So I simply NAT a server or all users to a single IP address (that is not configured on any ASA interface) and use that IP address in the L2L VPN configurations when defining the local and remote networks.

Naturally in those cases the NAT configuration is always a Policy NAT/PAT configuration as if I were to do a normal NAT/PAT configuration, it might start applying for traffic other than the traffic that is supposed to head through the L2L VPN.

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-24-2013 08:20 AM

how is it possible to nat server to a ip address that is not configured on ASA/PIX interface?????

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Maro.Cisco

‎07-24-2013 08:30 AM

Hi,

Well its very common to be honest.

Many customers have multiple public subnets on their ASA firewall which is located on the edge of their network. As you might know, the ASA can only hold a single subnet on its physical interface.

Though this does not stop the customer from using a public subnet on their ASA that is not configured on its interface.

The way its handled is either by the ISP routing the extra subnet towards the current ASA outside interface IP address or the ISP has directly configured that public subnet on their gateway interface as a "secondary" network.

Either way you will be able to configure Static NATs , Dynamic PATs and any other NAT using those IP address from the other subnet.

In the case of your VPN I cant really comment on how (and if) the NAT can be configured as I have really not used Cisco VPN Concentrators. But there should be no problem using a random IP address to NAT the traffic bound to the L2L VPN connections as that IP address WONT BE VISIBLE to the PIX or any Internet router as its encapsulated/encrypted traffic.

PIX will see the packets from the IP address of the VPN Concentrator and the Internet gateway will see packets coming from the NAT IP address of the VPN Concentrator (the NAT done on the PIX). When the packet reaches the remote end and is decapsulated and decrypted it will then be visible to the remote end with the NAT IP address used on the VPN Concentrator.

- Jouni

0 Helpful

Go to solution
Maro.Cisco
Level 1
Level 1
In response to Jouni Forss

‎07-24-2013 08:47 AM

Thanks i know this gone for so long but to wrap things up right now i have 2 private interfaces on VPN concentrator :-

(172.16.55.1)VPN Concentrator(192.168.3.2)

i'll figure out a way to do NAT on concentrator and then i'll nat the Server with ip : 172.16.5.8 will nat it to public IP z.z.z.z which isnt required to configured any where else and not even on the VPN concentrator.

Thanks alot for your support

0 Helpful
Customers Also Viewed These Support Documents