topic NAT from one VPN tunnel through 5510 over another VPN tunnel in Network Security

NAT from one VPN tunnel through 5510 over another VPN tunnel

kerryjcox — Tue, 12 Mar 2019 05:14:41 GMT

So, I have been presented with an interesting challenge. I would prefer using an internal Linux host to solve this, but my manager is convinced the ASA can do this. Hope this is the correct group. This is a NAT and routing question.

We have two VPN tunnels. One goes to Company X and connects to our internal network. Let's call the internal network 10.10.5.0 /24. That internal network can connect over the VPN tunnel to Company X, allowing only a single IP address in a /30 subnet on the inside of Company X that we can connect to (10.109.1.253). The kicker is that Company X will only allow a single VPN tunnel from our company.

The 2nd tunnel is coming from our Cloud provider (Company Y) and also connects internally and can reach IP addresses on the 10.10.5.0 /24 subnet.

Question is, can I set up a NAT on the ASA 5510 (9.1(3)) to allow translation from hosts coming from Company Y over their tunnel, say subnet 10.120.136.0 /24 to hit an internal IP here, say 10.10.5.145 and have that NAT to a destination IP on the Company X site or to the 10.109.1.253?

Or should I simply route requests coming from Company Y (10.120.136.0 /24 ) to the /30 subnet at Company X (10.109.1.253 /30) using a NAT'ed internal IP address, say 10.10.5.145?

Or would the best solution simply have users in 10.120.136.0 (Company Y) hit a Linux box at 10.10.5.145 (our internal network), and the ip forward all requests to 10.109.1.253 (the pingable host at Company X)?

Thoughts?

You can easily solve that

Karsten Iwen — Thu, 18 Dec 2014 17:52:26 GMT

You can easily solve that with

same-security-traffic permit intra-interface
policy-nat for (outside,outside)

Karsten,Thanks much for the

kerryjcox — Thu, 18 Dec 2014 20:44:22 GMT

Karsten,

Thanks much for the response. I have the option "same-security-traffic permit intra-interface" already enabled.

I guess I am being daft about the policy NAT. Looking over the link I am not seeing a clear example of how to configure this. Would you be willing to provide one?

Much thanks in advance.

I think I found an example

kerryjcox — Thu, 18 Dec 2014 21:12:10 GMT

I think I found an example that may work for my situation. Thanks.

Will give it a shot.

---

no such luck.

any examples would be appreciated on how to translate incoming IP addresses from the 10.120.139.0 /24 subnet to an internal 10.10.5.145 IP and have them them route or NAT over to the 10.109.1.253 /32 IP, so everything on the 10.109.1.253 address will see all traffic originating from 10.120.139.0 /24 as really coming from 10.10.5.145?

Thanks.

Tried the following but with

kerryjcox — Thu, 18 Dec 2014 21:48:33 GMT

Tried the following but with no luck. From the IP of 10.120.139.12, I cannot ping 10.10.5.145 which should NAT over to the other VPN IP of 10.109.1.253.

I am certain I am just missing something:

object network COMPANY_A

subnet 10.120.139.0 255.255.255.0

object network COMPANY_B

host 10.109.1.253

object network INSIDE_MAP

host 10.10.5.145

nat (outside,outside) source dynamic COMPANY_A INSIDE_MAP destination static COMPANY_B COMPANY_B

Based on above link, I am open to suggestions.

same-security-traffic permit intra-interface is already enabled.

The nat-rule looks fine, but

Karsten Iwen — Thu, 18 Dec 2014 21:59:21 GMT

The nat-rule looks fine, but is it in the right order? It's very likely that it has to be above other rules in NAT-section1.