topic Hi in Network Security

NAT for IPSec S2S Tunnel after using AnyConnect RA SSL VPN

rjadhav163 — Tue, 12 Mar 2019 07:58:01 GMT

Hello all,

so here is a complicated thing that I need to implement and need your help with NAT Commands:

I have implemented RA AnyConnect VPN. My employees connect to my ASA with anyconnect and get the IP from:

net_anyconnect_pool : 10.1.1.0/24

My inside network is: net_inside_all : 10.37.0.0/24

I have a Business Partner (lets call it BP) with whom my Firewall builds an IPSec S2S VPN. Now the condition of my BP is that while connecting to its S2S Tunnel, my Source IP Address must be from the network local_s2s_net: 10.41.41.0/29 , i.e. in other words my BP will enter only 10.41.41.0/29 as remote networks on his firewall.

So I need to use Source NAT to translate my :

net_inside_all : 10.37.0.0/24 and my vpn pool net_anyconnect_pool : 10.1.1.0/24

local_s2s_net: 10.41.41.0/29 when accessing BP's networks.(NOTE here that source addr given to me by BP is a /29 net)

BP's local networks for me i.e. my S2S VPN remote networks are: s2s_remote_net : 10.51.0.0/24, 10.52.0.0/24, 10.53.0.0/24

So is the following NAT config correct? (note: no need of internet access to anyone)

Is Static Twice NAT the right way to go?

nat (inside,outside) source static net_inside_all net_inside_all destination static net_anyconnect_pool net_anyconnect_pool no-proxy-arp

nat (inside,outside) source static net_inside_all local_s2s_net destination static s2s_remote_net s2s_remote_net no-proxy-arp

nat (outside,outside) source static net_anyconnect_pool net_anyconnect_pool destination static s2s_remote_net s2s_remote_net no-proxy-arp

Thanks and Regards,

Hi

Francesco Molino — Wed, 29 Jun 2016 15:00:54 GMT

You need to use dynamic nat + pat.

You can mix a dynamic NAT + PAT. I'll copy the Cisco doc link instead of retyping all commands:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html

I've never tested it in a L2L vpn but it should work.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Hi

rjadhav163 — Thu, 30 Jun 2016 05:16:19 GMT

thanks for the reply. Additional question:

will the configuration that i wrote above not work at all? I mean the mapped subnet is /29, so lets say for first 6 users it should work right?

Thanks and Regards,

Hi

Francesco Molino — Thu, 30 Jun 2016 11:10:40 GMT

It should not works but never tried.

I can test it tonight and let you know.

Thanks

Hi,

Jouni Forss — Thu, 30 Jun 2016 13:18:01 GMT

Hi,

So essentially you need to configure NAT so that both your VPN Client users and LAN users need to be visible from the same /29 sized subnet allocated to you by the remote end admin of the L2L VPN Connection?

In the past I have used the following type of configurations

object network BP-NAT-POOL
range 10.41.41.1 10.41.41.5

object network BP-PAT
host 10.41.41.6

object-group network BP-NAT+PAT
network-object object BP-NAT-POOL
network-object object BP-PAT

object-group network BP-L2LVPN-SOURCE
network-object 10.37.0.0 255.255.255.0
network-object 10.1.1.0 255.255.255.0

object-group network BP-L2LVPN-DESTINATION
network-object 10.51.0.0 255.255.255.0
network-object 10.52.0.0 255.255.255.0
network-object 10.53.0.0 255.255.255.0

nat (any,outside) source dynamic BP-L2LVPN-SOURCE BP-NAT+PAT destination static BP-L2LVPN-DESTINATION BP-L2LVPN-DESTINATION

The above configurations essentially define an "object-group" that will contain a NAT Pool and PAT address that are defined inside an "object". The "object-group" will then be used as the translated source of the "nat" configurations. The source addresses for the Dynamic Policy NAT/PAT will be defined under their own "object-group" and this will also be used in the "nat" configurations. All the destination subnets of the L2L VPN connection will be configured under their own "object-group" and this again will be used in the "nat" configurations. Last but not least you will see that I defined the source interface of the "nat" command as "any" this essentially matches incoming traffic from any interface and the source address "object-group" that we defined will tell the ASA which source subnets will match this NAT configuration. So for the LAN and VPN users you will have a single "nat" configurations.

Above you have also listed a "nat" configurations that seems to be the NAT0 / Identity NAT for your LAN towards the VPN users? This seems correct to me though its not really related to the connectivity between VPN/LAN to the so called BP subnets.

As always I would suggest making sure that the above configurations does not in any way conflict with any existing configurations you might have. Though it should only apply when the destination is the mentioned 3 subnets and the source is one of the 2 mentioned subnets.

EDIT: Also one more thing. If so far you HAVE NOT HAD any connections from VPN users (behind outside) towards Internet (behind outside) then you will have to make sure that another configuration on the ASA does not prevent this connectivity. For the ASA to pass traffic that originated from the same interface that it goes out on (outside or any other) you will need to have this configurations present on the ASA

same-security-interface permit intra-interface

To check the current configurations use the command

show run same-security-interface

Hope this helps

You can take a look at a old NAT 8.3+ document I made in 2013 if you want to get to know some of the CLI format of the new NAT. Sadly I have not updated it after the original date so it does not contain all the examples that it could.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

- Jouni

Thanks Jouni. It worked

rjadhav163 — Fri, 01 Jul 2016 09:01:43 GMT

Thanks Jouni. It worked perfectly well.

Thanks supportlan. Your idea

rjadhav163 — Fri, 01 Jul 2016 09:02:29 GMT

Thanks supportlan. Your idea of Dynamic NAT + PAT worked perfectly well.