Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NATing behind VPN device

I'm pretty familiar with setting up a VPN but a customer asked if we could NAT our servers to a range they provide and I'm not sure how this can be implemented.

Here's our setup (sanitized):

our side (10.1.1.0/24) <---> ASA <---> router <---> Internet <---> customer side (10.1.3.31/32)

We use the ASA for the L2L tunnels. I can set up the L2L tunnel above but the customer wants us to NAT our side using their range of 10.1.2.0/24.

Specifically, how do I nat our server 10.1.1.11 to 10.1.2.21 when going to 10.1.3.31 through the VPN?  Basically, the customer already has routes set up for 10.1.2.0/24 so if we can do the NAT to that range on our end then they don't need to add any routes on their end.  Keep in mind that our server 10.1.1.11 is also serving other customers so we only want the NAT to take effect when going to the specific customer 10.1.3.31.

8 REPLIES

Re: NATing behind VPN device

Rimbert,

Instead of doing NAT exemption for the VPN traffic, you need to NAT it.

You do this with Policy NAT:

access-list 150 permit ip host 10.1.1.11 host 10.1.3.31

static (in,out) 10.1.2.21 access-list 150

Make sure there are no NAT 0 access-list statement for the above IPs.

Then the crypto ACL for interesting traffic is defined like this:

access-list crypto permit ip 10.1.2.21 host 10.1.3.31

Federico.

Community Member

Re: NATing behind VPN device

Hello Frederico,

Thank you for replying.

When you wrote: "Make sure there are no NAT 0 access-list statement for the above IPs.", did you mean all the ones involved?

I do have a NAT 0 for the 10.1.1.0/24 subnet (defined as dmz):

nat (dmz) 0 access-list dmz_nat0_outbound

Is this what you mean?  If so, is there a way to work around it?

Re: NATing behind VPN device

I should have been more specific.

Make sure the nat 0 access-list for the 10.1.1.0/24 does not overlap with 10.1.3.x

The idea is that you should not have a nat 0 access-list statement bypassing NAT for traffic between 10.1.1.0/24 and 10.1.3.x, so that the Policy NAT can kick in.

If you have a nat 0 access-list for the 10.1.1.0/24 but when going let's say to 192.168.1.0/24, then this is not a problem.

Federico.

Community Member

Re: NATing behind VPN device

I'm still not quite clear on what I need to do.

I was able to set up the access list

access-list 150 permit ip host 10.1.1.11 host 10.1.3.31

but when I tried to add the nat via

static (dmz,external) 10.1.2.21 access-list 150

I get:

INFO: overlap with existing static
  dmz:10.1.1.11 to external:10.1.1.11 netmask 255.255.255.255

Our server is in the dmz subnet and the customer is in the external subnet (we are using the external interface as the VPN device).

What am I doing wrong?

We are using the Cisco ASA 5520 if that helps.

Is this something I can try doing via ASDM?  Unfortunately, when if comes to firewalls, I'm more comfortable with ASDM.

Re: NATing behind VPN device

Do you have this statement if you do ''sh run static''

static (dmz,external) 10.1.1.1 10.1.1.1

If so, why do you have that statement, do you need it?
If you don't, remove it and add the commands I gave you.

Federico.

Community Member

Re: NATing behind VPN device

Hello Frederico,

I do have that statement:

static (dmz,external) 10.1.1.11 10.1.1.11 netmask 255.255.255.255

It looks like all of our hosts have similar statements.  I believe that is how ASA works - it does static NAT for all the hosts to pass traffic.  I could be wrong though.

Since that server has to serve other customers, I do not want to remove that static NAT because it will probably prevent it from serving other customers.

Anything else I can try?

Re: NATing behind VPN device

What is exactly the use of that server?

It seems that you need to access 10.1.1.11 from the external interface.

i.e

If you need to access the server only on ports 80 and 25, you can do the following:

Remove the static and re-enter it like this:

static (dmz,external) tcp 10.1.1.11 80 10.1.1.11 80

static (dmz,external) tcp 10.1.1.11 25 10.1.1.11 25

And then, re-enter the Policy NAT for the VPN traffic.

In order to do this, please find out which services are being accesed on 10.1.1.11 to check if you can go with the above configuration.

Federico.

Community Member

Re: NATing behind VPN device

That server streams data to our customers (including the one who wants the NAT).

I tried removing the NAT statement, static (dmz,external) 10.1.1.11 10.1.1.11 255.255.255.255 via ASDM and it says:

"The operaiton you are trying to perform will result in some security rules being nullified.  Please review your translation/security rules and try this operation again."

And it won't let me delete that NAT statement.

423
Views
0
Helpful
8
Replies
CreatePlease to create content