topic Re: NAT in Network Security

NAT

bluesea2010 — Wed, 11 Aug 2021 21:39:49 GMT

Hi,

I want to do a static nat for 192.168.1.10 to 2.2.2.10 so that the traffic comes through the second ISP.

What need to be done on ASA side to achieve the above

load balancer is a third party appliance

Thanks

Re: NAT

balaji.bandi — Wed, 11 Aug 2021 23:09:54 GMT

Personally as per the diagram - I do not believe you can do that. ( do ASA have same IP address configured or are aware 2.2.2.10 ?)

Re: NAT

bluesea2010 — Fri, 13 Aug 2021 04:23:04 GMT

Hi,

there is reachability from ASA to the network 2.2.2.2

Thanks

Re: NAT

Ilkin — Sat, 14 Aug 2021 16:13:49 GMT

Technically speaking a static NAT for 192.168.1.10 to 2.2.2.10 is possible on ASA itself and it can translate to non-directly-connected IP addresses.

The upstream device, in this case, the load balancer (LB) should have the correct routing to 2.2.2.10. On LB, the next-hop for 2.2.2.10 should point to the ASA. In general, routing should also be correctly configured.

Re: NAT

balaji.bandi — Sat, 14 Aug 2021 19:50:40 GMT

Ok in that case you have routing in place, is the routed IP to ASA, then you can do static NAT since your diagram is not clear.

Re: NAT

Marius Gunnerud — Mon, 16 Aug 2021 20:54:39 GMT

All this really depends what subnet the 2.2.2.x network has on the loadbalancer. If the 2.2.2.10 falls within the existing 2.2.2.x subnet on the loadbalancer then you would need to do NAT on the loadbalancer. But if the 2.2.2.10 IP can be routed to the ASA, i.e. not directly connected to the loadbalancer, then this can be done on the ASA.

Re: NAT

bluesea2010 — Wed, 18 Aug 2021 03:43:33 GMT

Hi @Ilkin and @Marius Gunnerud

Thanks for the reply. If I do the proper routing can I do site to site VPN with a non-directly -connected ip address

Thanks

Re: NAT

bluesea2010 — Wed, 18 Aug 2021 17:06:50 GMT

Hi,

, If the 2.2.2.10 falls within the existing 2.2.2.x subnet on the loadbalancer then you would need to do NAT on the loadbalancer.

What if 2.2.2.10 is in the same subnet.

Can you explain the above.

2) If i2.2.2.10 is not directly connected to how can I peer wirh a remote site for site to site vpn

Thanks

Re: NAT

Marius Gunnerud — Wed, 18 Aug 2021 22:00:33 GMT

1) If the 2.2.2.x subnet (which includes 2.2.2.10) is located on the outside interface of the loadbalancer then this would be seen as being directly connected and the loadbalancer would not forward the traffic to any other destination. Therefore you would need to NAT 2.2.2.10 to the IP of the ASA for there to be connectivity.

2) If 2.2.2.10 is not directly connected to the ASA you would need to NAT 2.2.2.10 to the IP of the ASA. Make sure that NAT-traversal is enabled on the ASA (it should be enabled by default).

Re: NAT

bluesea2010 — Thu, 19 Aug 2021 01:58:45 GMT

Hi,

Regarding the site to site VPN,

1) I want to peer with ASA(2.2.2.11) and it is not directly connected, and there is no destination NAt for the device (I mean 2.2.2.11 is not NATed with any LAN Device) , is there a way to establish S2S VPN

2)2.2.2.11 Is NATed on Load Balancer To 1.1.1.1 (Which is the outside interface of the ASA), A remote site can peer with 2.2.2.11

Thanks a million

Re: NAT

Marius Gunnerud — Thu, 19 Aug 2021 03:53:36 GMT

1) you need to provide more information with regards to where the 2.2.2.11 subnet is located. Is this subnet a part of the loadbalancer outside interface? If yes, then you must do NAT on the loadbalancer. If it is not part of the loadbalancer outside interface, then you need to configure routing on the loadbalancer so that it sends traffic for 2.2.2.11 to the ASA. Regardless, you will be able to setup a S2S VPN. You just need to be sure that connectivity is there between the vpn devices.

2) yes, if there is NAT on the loadbalancer to 1.1.1.1 then you will be able to setup a S2S VPN between the ASA and a remote site.