01-05-2012 01:58 PM
I have two site which both have a VPN tunnel connected.
I would like Site B to route all internet traffic through Site A internet connection. i.e. The ASA in site A will have to NAT the packet which come from the VPN tunnel of Site B.
I'm sure this is possible, but how would the nat statament look, as the traffic would come from the outside and then be routed out the outside.
Thanks
01-05-2012 08:29 PM
Site B should have Crypto ACL -- source site B subnet destination -any
Site A should have crypto ACL--- Source any destination Site B subnet
Then NAT on ASA A for site B subnt to go out.
01-06-2012 11:31 AM
Is this classed as hair pinning?
I didn't think you can route or/and nat traffic when and going from same interface?????
01-06-2012 11:46 AM
Yes, it is a 'hairpinning" application. Please see this nice blog post for lots more details. A briefer post talking about this exact application is here.
You will also need to use the command:
same-security-traffic permit intra-interface
01-06-2012 02:41 PM
Thanks.
Quick question,
Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?
E.g.
my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.
But when they go over the internet to have a source of 192.168.1.0/24?
Thanks.
01-06-2012 02:49 PM
The answer in general is "yes".
The answer to your specific example is "no" - at least for the bit about how you want them to be seen on the Internet.
192.168.1.0/24 is a private (RFC 1918) netblock and will not be routed on the Internet as-is. Traffic on the Internet must have publicly routable addresses. Typically this is an address (or range of addresses) allocated to you by your ISP (or assigned directly to your company by one of the Regional Internet Registrars if you are big enough to qualify for a provider-independent network).
As far as how they are seen at the peer site within your company, yes - you can translate them into any address you want internally.
01-06-2012 02:54 PM
Hi Marvin,
Sorry what I meant was...
Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?
E.g.
my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.
But when they go over the internet to have a source of 192.168.1.0/24 which is then has PAT of the outside public ip address?
Thanks.
Would I need a static cmd?
Does the static cmd take presence over a glocal nat statement?
Thanks
01-06-2012 03:33 PM
OK, I think I understand what you want.
Site A = 192.168.1.0/24 has a site-site VPN to site B. All traffic from A-B you want to have 1-1 NAT to map it to 192.168.200.0/24.
Traffic from A to public Internet you want to go over that same A-B VPN tunnel but hairpin at Site B and leave on Site B's Internet connection using the Site B standard PAT public IP. You want the XLATE table in site B's ASA to show a particular flow as being mapped back to the site A 192.168.1.0/24.
Correct?
I think this should work, but am a bit far out along this logic branch.
You want an implementation of what's known as policy NAT at the Site B end of your VPN tunnel. Basically, "if destination is at site B, NAT one way. if destination is on the public Internet NAT another way"
Have a look at this CSC document or consult the Google for other examples of policy NAT.
01-06-2012 03:39 PM
Thanks,
I don't no about the xlate as I have not used it before.
But both lans are on the same subnet therefore they cannot communicate but I can add a static cmd which translates the address so both can ping using a static nat.
But I also would like all internet traffic from a certain host on site B to access the internet from site A. And all others host from site B to access internet via local public interface, I will try what you've said and let you know.
Thanks
01-14-2012 10:56 PM
Hi,
Refereing to my first question.
I understand the crypo map and nat outside statments.
Site B should have Crypto ACL -- source site B subnet destination -any
Site A should have crypto ACL--- Source any destination Site B subnet
Then NAT on ASA A for site B subnt to go out.
(outside, outside) 1 Site B intenal lan address
But would I need to NAT 0 any traffic, I guess on site B I would have to nat exempt the internet traffic going through the tunnel but how about on site A. As there is a static NAT would I need to nat exempt traffic from source internet and destination site B. i.e. have both nat exempt and static?
If I would to which nat 0 would i use, source internet destination site B, or would it be source outside interface ip address destination site B as the packets are natted by the outside interface on site A?
Thank you.
01-15-2012 11:40 AM
OK,
I worked it out.
I was wondering, what is the benfit if I put the nonat statement in site A. I access the internet with the nonat command in or taken off. How comes it still works with the nonat cmd taken off?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide