Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

no nat and pat statements

Hi, I have the following question:

I have an asa 5520, and currently the box is pimarily setup for vpn remote access scenario. The IP adresses for the remote clients are lets say in the range 192.168.1.0/24 , assigned by Radius.

I currently have a no nat configuration, because I don?t need nat so far.

Now I would like to setup multiple vpn site to site connections on the same box, and I would like to hide each vpn tunnel "customer" behind a single IP, so in my understanding I would like to make PAT.

The "customerA" should hide behind 192.168.1.129/25, CustomerB behind 192.168.1.130/25 usw.

In my understanding I need a nat 0 statement for no nat?ing the remote vpn users, and a nat 1 entry for nat ?ing the vpn tunnel customer, and hide them.

Could anyone please give me some help and an example with this nat/pat issue.

Thank you very much.

6 REPLIES
New Member

Re: no nat and pat statements

any little hint is welcome. !

Thanks

Hall of Fame Super Blue

Re: no nat and pat statements

Hi

1) Do you want to hide all customer source IP addresses behind 1 IP address when traffic comes from the customer to you

OR

2) Do you want to present the customer network as 1 IP address to your internal clients.

Also is there any reason you have taken IP addresses in your example from the same range as your client VPN's ?

Jon

New Member

Re: no nat and pat statements

Hi Jon,

thanks for the answer.

I would like to to present each customer network behind one IP address for the internal clients.

Yes. Vpn clients should be in the first half of the /25 mask, site2 site beginninng with .129.

I have only one C class availible, so I thought it might make sense to split.

Hall of Fame Super Blue

Re: no nat and pat statements

Hi

Okay, that might be a problem. if you wanted to translate all customer source IP addresses to one of your 192.168.1.x/25 addresses then this would be relatively easy.

But it sounds from your answer that you want to present the customer network to your VPN clients as one IP address. This assumes that the connection will be intiated FROM your VPN clients.

And this is the problem. Lets say for arguments sake that one of your customer networks is 172.16.5.0/24. Additionally, within that network your vpn clients want to intiate connections to 172.16.5.10,11,20 & 50.

Now you present the whole 172.16.5.0/24 network as 192.168.1.130. A vpn client wants to talk to 172.16.5.20 and so it sends a packet to 192.168.1.130. How does the firewall know which 172.16.5.x address the vpn client wants to talk to.

The answer is it doesn't. For each of the 172.16.5.x hosts within the customer network you would need to use a 192.168.1.x address to present it to your internal vpn clients.

Note that if the connections are always initiated from the customer network then you can hide all their IP addresses being one of your 192.168.1.x addresses.

Hope i have understood correctly.

Jon

New Member

Re: no nat and pat statements

Let me try again to describe my problem:

I have vpn clients that will be assigned an IP address from the pool 192.168.1.1-126, and they should be able to access my cooperate network without any nat translation. So I assume I need a nat0 statement.

Then I have site2site customers connected to my cooperate network, and I would like to hide each seperate customer behind a seperate ip address, from the pool 192.168.1.129-254.

I my understanding I need a pat statement, that means an additional nat 1 entry.

Now I get confused with this two nat entries nat0 and nat1 , and I could not figure out how to do this.

The vpn clients usually will not talk to the customer sit to site vpn.

I have the net A that should not be translated, and I have ip addresses from pool B, that should hide customer networks, so that the source ip gets behind a nated ip.

Thanks for your support so far Jon.

Hall of Fame Super Blue

Re: no nat and pat statements

Hi

If you want to hide source IP address of customer networks.

Lets say customer network is 172.16.5.0/24 and it arrives on the outside interface. Customer IP addresses should be hidden behind 192.168.1.130.

nat (outside) 2 172.16.5.0 255.255.255.0 outside

global (inside) 2 192.168.1.130

This will change the source IP addresses of 172.16.5.x to appear to be from 192.168.1.130. This will only work if the traffic is initiated from the customer site.

I hope this makes sense

Jon

553
Views
4
Helpful
6
Replies
CreatePlease to create content