Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
10
Helpful
10
Replies

VPN NAT Issue

Go to solution
JohnTylerPearce
Level 7
Level 7

‎08-23-2012 12:42 PM

I have been informed by an outside vendor they need me to setup a site-to-site VPN on our ASA 5510/8.4.

I configured the site-to-site IPsec VPN, but they have a weird requirement. For some reason, they want me

to nat the Server in question to 172.19.10.1/29, which already as a PAT to the outside. So, I would have

to create a policy NAT that says if 192.168.225.10 needs to access 172.29.0.0/29 then NAT to 172.29.10.1.

My only concern is, the only connections on the ASA is the outside interface which goes to the WAN, and an

internal interface which goes to a switch. There is no interface that has 172.29.10.0/29 this network associated to it.

I thought you could only NAT to an interface which has an address mapped to it.                  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎08-24-2012 03:50 AM

The router connected to the ASA will never see that IP as it is inside the VPN-tunnel. Only your IPSec-peer sees that and he hopefully knows what to do with that address if he requested that NAT.

Your NAT needs to be changed if the remote-Network is HCAS:

nat (inside,outside) source static FSU HCASNAT destination static HCAS HCAS

EDIT: This rule has to be placed before your general NAT-statement as the ASA processes the NAT-rules top-down.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Karsten Iwen
VIP
VIP

‎08-23-2012 11:27 PM

You can NAT your address to any IP that you want. The translated address doesn't have to be of any range local to the ASA. Only the routing has to be adjusted for that address.

Thats quite common, think of the following example: You already have the network 192.0.2.16/28 from your provider. Now you request an additional IP block bedause you need more addresses. The ISP assignes you the network 203.0.113.0/25 and routes that to your ASA. These addresses can now be used for NAT but are not configured on any of your interfaces.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Karsten Iwen

‎08-24-2012 03:37 AM

I understand what you're saying and agree 100%. But if I have an ASA with only an Outside and Inside interface only in use. Outside has 74.254.111.0/28 and inside is 192.168.225.0/24. For me to do a policy NAT so that instead of this specific server 192.168.225.12 being PAT'd to the outside interface, it's also Policy NATd to 172.29.10.1/32. The router connected to the ASA will not have the network 172.29.10.0/28 assigned to it.

75.254.111.0/28(Outside)<--->ASA<--->(Inside)192.168.225.0/24

192.168.225.12 is PATd to the Outside interface.

I would need to Policy Nat 192.168.225.12 to 172.29.10.1 as well.

I'm assuming with ASA 8.4+ code wouldl work like this.

object network FSU
host 192.168.225.12
object network HCAS
network 172.29.0.0/26
object network HCASNAT
host 172.29.10.1

net (inside,outside) source static FSU HCAS destination static HCASNAT HCASNAT

Therefore, if FSU needs to access HCAS then it will be NATd to the HCASNAT.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎08-24-2012 03:50 AM

The router connected to the ASA will never see that IP as it is inside the VPN-tunnel. Only your IPSec-peer sees that and he hopefully knows what to do with that address if he requested that NAT.

Your NAT needs to be changed if the remote-Network is HCAS:

nat (inside,outside) source static FSU HCASNAT destination static HCAS HCAS

EDIT: This rule has to be placed before your general NAT-statement as the ASA processes the NAT-rules top-down.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Karsten Iwen

‎08-24-2012 06:29 AM

Thanks for your help Karsten. The information you have provided has been extremely helpful. It will be rated as a 5 star when I'm not too busy.

From looking at the below NAT.

nat (inside,outside) source static FSU HCASNAT destination static HCAS HCAS

I'm assuming this means NAT FSU(192.168.225.12) to HCASNAT(172.29.10.1) when destination is HCAS(172.29.0.0/26) HCAS(172.29.0.0/26)

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎08-24-2012 08:18 AM

>>It will be rated as a 5 star when I'm not too busy.

I appreciate that ...

>>nat (inside,outside) source static FSU HCASNAT destination static HCAS HCAS

>>I'm assuming this means NAT FSU(192.168.225.12) to HCASNAT(172.29.10.1) when destination is HCAS(172.29.0.0/26) HCAS(172.29.0.0/26)

Yes, in "Twice-NAT" you specify the source and destination of your communication (first and third object) and to which addresses these are NATted (second and forth object). The destinations are the same as these should not be translated.

Sent from Cisco Technical Support iPad App

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Karsten Iwen

‎08-24-2012 09:22 AM

One more question if you don't mind. Do you have any idea about the order of operations with NAT?

Because I already have a static PAT for 192.168.225.12 > 74.254.111.1

So if I setup a policy NAT, would it work just like that, or what I need to change some things?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎08-24-2012 09:43 AM

The new NAT-rule has to be placed before the existing PAT-rule. When you issue a "show nat" then you see sequence-numbers in front of the rules. These numbers correspond to the order in the three NAT-sections:

1) Twice-NAT (or manual NAT): the global "nat"-commands

2) Auto-NAT: The "nat"-commands inside of network-objects

3) Twice-NAT again.

Depending of the way you configured your PAT (inside an object or with a global NAT-statement) just make sure the new one is before the PAT. For that use the "correct" sequence-number:

asa2(config)# nat (inside,outside) ?

configure mode commands/options:

  <1-2147483647>  Position of NAT rule within before auto section

  after-auto      Insert NAT rule after auto section

  source          Source NAT parameters

asa2(config)# nat (inside,outside)

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Karsten Iwen

‎08-24-2012 09:55 AM

So if I have lets say 10 static nat rules. And I created a new nat entry and did

nat (inside,outside) 1

It will be 1 and everything below will go down one so to speak.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to JohnTylerPearce

‎08-24-2012 10:04 AM

yes, so if you want to have your new rule on position 1 then the command would be:

nat (inside,outside) 1 source static FSU HCASNAT destination static HCAS HCAS

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to Karsten Iwen

‎08-24-2012 01:56 PM

Thanks for all the help Karsten. I learned a lot!

Everything worked perfectly.

0 Helpful
Customers Also Viewed These Support Documents