topic Hi, Ok that again clears some in Network Security

Hide NAT

saroj pradhan — Tue, 12 Mar 2019 04:27:31 GMT

Hi,

can some one guide me to configure Hide NAT on the Cisco ASA 5510 Firewall. i am using the ASA in my network.The users at inside interface traffic need to go to the DMZ interface and access the remote three servers through s2s vpn .The VPN device connected between the Internet Router and ASA DMZ.

Please advice,

Saroj

Duplicate post. Go here:

Leo Laohoo — Fri, 11 Jul 2014 05:37:17 GMT

Duplicate post.

Go here: https://supportforums.cisco.com/discussion/12252981/hide-nat

I need command to

saroj pradhan — Fri, 11 Jul 2014 05:45:50 GMT

I need command to configure it either through ASDM or CLI.

Regards,

Saroj

Hi, I think we need a bit

Jouni Forss — Fri, 11 Jul 2014 06:20:56 GMT

Hi,

I think we need a bit more information to confirm what the actual situation is.

If I understood correctly you have a VPN device behind the DMZ interface of the ASA that has the L2L VPN connection behind which the resources you need are.

It also seems that you would be needing a NAT configuration that does a translation for "inside" -> "dmz" traffic ONLY when the traffic is destined to the remote network behind the L2L VPN connection?

In that case you would probably use a Dynamic Policy PAT type of configuration.

Can you confirm the above information? Naturally if you can provide some current configurations OR tell us the network/IP information related to the required NAT and how its supposed to work. Also an important information would be what software version your ASA is running as the NAT configuration format might be completely different depending on the software you are running (8.2 and below vs. 8.3 and above have totally different NAT configuration format)

- Jouni

please find the details. i

saroj pradhan — Fri, 11 Jul 2014 07:06:46 GMT

please find the details.

i have one internet router. Behind it the ASA Firewall is connected then the L3 Switch.

the VPN Device is public interface is connected to Internet Router and private Interface is connected to the ASA Firewall DMZ. for connecting ASA and the vpn Router using /29 space of private ip address .the users of one VLAN Traffic need to access the remote servers through the

VPN device .for example users subnet is 172.16.58.0/24 need to access the server ip address 209.196.208.52 through the vpn device.

Also i am going the enclosed the viso of the network in pdf form for better understanding.

regards,

saroj

Your query is quite confusing

nkarthikeyan — Fri, 11 Jul 2014 07:09:36 GMT

Your query is quite confusing.

1) You want to access the servers that are in DMZ zone from inside LAN?

2) Also you want to access some servers that are in remote site through site to site VPN?

3) what do you mean by VPN device connected between ASA DMZ and Internet?

Regards

Karthik

Hi, Ok, that clarifies things

Jouni Forss — Fri, 11 Jul 2014 07:20:41 GMT

Hi,

Ok, that clarifies things a bit but I am still wondering what is the NAT IP address you want to use? What is the IP address with which the users connections should be visible to the remote server?

Also you did not mention the ASAs software level which we need to know for the correct NAT configuration format.

To give you example of both configuration formats then they could be the following

Software 8.2 and below

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

global (dmz) 200 interface

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

Software 8.3 and above

object network SMX-LAN
subnet 172.16.58.0 255.255.255.0

object network REMOTE-SERVER
host 209.196.208.52

nat (inside,dmz) source dynamic SMX-LAN interface destination static REMOTE-SERVER REMOTE-SERVER

The above configuration uses the "interface" parameter to define that the "dmz" interface IP address is used as the PAT address. (in the same way that the above older format configuration uses the "interface" parameter)

If you wanted to use a separate NAT IP address (other than the "dmz" interface IP address) then you would need one additional "object" configuration and a bit different "nat" configuration

object network SMX-LAN
subnet 172.16.58.0 255.255.255.0

object network REMOTE-SERVER
host 209.196.208.52

object network NAT-IP
host x.x.x.x

nat (inside,dmz) source dynamic SMX-LAN NAT-IP destination static REMOTE-SERVER REMOTE-SERVER

Keep in mind that in both of the cases (with both levels of software) the required configuration depends on how your firewall is currently configured. There might be other NAT configurations that affect these configurations and would therefore override their operation.

Hope this helps 🙂

- Jouni

so you want the inside LAN

nkarthikeyan — Fri, 11 Jul 2014 07:21:49 GMT

so you want the inside LAN users to access the servers in SxM network through the DMZ interface of ASA to the VPN router to go out instead of going out through outside interface.

Your requirement: Inside LAN (inside)-ASA-(DMZ)---VPN Router---Internet Router----SXM Network

Please correct me if am wrong

Regards

Karthik

you are right sir. Their

saroj pradhan — Fri, 11 Jul 2014 07:36:31 GMT

you are right sir. Their internet traffic will go through Outside interface which is working fine . But the users access of sxm network will go through DMZ.

Regards,

Saroj

Please find the ASA Version

saroj pradhan — Fri, 11 Jul 2014 07:55:32 GMT

Please find the ASA Version details.

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

when i run the subnet command get error.

object network SMX-LAN
subnet 172.16.58.0 255.255.255.0

Netlink-MDP-ASA(config-network)# sub
Netlink-MDP-ASA(config-network)# ?

description     Specify description text
group-object    Configure an object group as an object
help            Help for network object-group configuration commands
network-object Configure a network object
no              Remove an object or description from object-group

please advice.

Saroj

please find the ASA Verson.

saroj pradhan — Fri, 11 Jul 2014 08:03:38 GMT

please find the ASA Verson.

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

and the ip address details like

source ip address 172.16.58.0 /24 destination translated ip address 209.196.208.52 translated source 172.31.82.0/23 translated destination 172.31.82.0/23

need the command details for ASA version 8.2 support.

Regards,

Saroj

Hi Saroj,Then i guess you

nkarthikeyan — Fri, 11 Jul 2014 08:32:38 GMT

Hi Saroj,

Then i guess you should have the proper access-list and routing that needs to be done on the ASA....

you need to route the traffic that is destined via DMZ thru VPN and required NAT/No-NAT to allow the traffic via DMZ.....

I guess the public ip NATing will be done on your VPN server.

Regards

Karthik

Karthik, the Routing is

saroj pradhan — Fri, 11 Jul 2014 08:39:22 GMT

Karthik,

the Routing is already done .Need the NAT Part to complete.

please advice.

Regards,

Saroj

answer of 1:--there is no

saroj pradhan — Fri, 11 Jul 2014 08:52:18 GMT

answer of 1:--there is no servers in DMZ.

naswer of 2: Inside LAN (inside)-ASA-(DMZ)---VPN Router---Internet Router----SXM Network

answer of 3 : s2s vpn is configured on a Router connected between ASA and Internet Router.

Regards,

Saroj

Hi,You can't use the other

Jouni Forss — Fri, 11 Jul 2014 09:02:06 GMT

Hi,

You can't use the other configuration that I listed as you are not running ASA software 8.3 or a newer version. The "object network" doesnt exist in 8.2 software and if you use it the ASA will regocnize it as "object-group network" command. That is why you are not able to configure it and the required parameters under it.

Again the above IP information is confusing. You are talking about a network 172.16.82.0/23 as both the source and destination? Which one is it?

From what I understood before the information would be this

source ip/network = 172.16.58.0/24
source networks NAT IP = ?
destination ip/network = 209.196.208.52/32

You first time mention the network 172.31.82.0/24 and I dont know what it is. Pleasey clarify the purpose/role of each IP address/network mentioned.

- Jouni

please find the detailsInside

saroj pradhan — Fri, 11 Jul 2014 09:19:12 GMT

please find the details

Inside LAN (inside) 172.16.58.0/24----ASA-(DMZ) private(172.16.59.0/29) ---VPN Router -- 122.168.191.232/29---Internet Router----SXM Network(172.31.82.0/23) and 209.196.208 and 52,209.196.208.10

Regards,

Saroj

Hi, Ok that again clears some

Jouni Forss — Fri, 11 Jul 2014 09:58:59 GMT

Hi,

Ok that again clears some things up but you have not mentioned the IP address that you want us to use as the NAT IP address. Or if you want to NAT the whole LAN network 172.16.58.0/24 to some other NAT network perhaps?

Or perhaps you are meaning something else with the Hide NAT? I would presume you want to "hide" the internal network 172.16.58.0/24 by NATing it to some IP address.

Can you clear this up then we should be able to provide the configuration.

- Jouni

The DMZ is configured

saroj pradhan — Fri, 11 Jul 2014 10:04:09 GMT

The DMZ is configured with private IP. so cant configure NAT.The VPN Device connected to DMZ use private IP 172.16.59.0/29

and the Vpn dive connect the internet Router use public IP 122.168.191.232/29

i need to configure hide nat.

please advice .

Hi Saroj, As suggested by

nkarthikeyan — Fri, 11 Jul 2014 10:05:38 GMT

Hi Saroj,

As suggested by Jouni...

Software 8.2 and below

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

global (dmz) 200 interface

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

This will do for you... or else you can do the No-NAT if you do not want to do the double NAT

nat (inside) 0 access-list VPN-POLICYPAT

If you have the proper routing towards and upwards then you should be able to do with.

Make sure your ASA to VPN router and VPN router to ASA back you need to have a proper routing and your VPN configurations should be having required configurations to get this work.

Also NAT the traffic in VPN router.... for getting in to public network..... tunneled traffic.

Regards

Karthik

Hi,From what I have

Jouni Forss — Fri, 11 Jul 2014 10:10:09 GMT

Hi,

From what I have understood so far all this traffic will use a L2L VPN connection between the sites. With that in mind I don't think there are real limitations on what NAT IP address you use as long as the VPN device has a route for it pointing towards the ASA.

It doesnt really matter if the link network between the ASA DMZ interface and the VPN Router is private IP address. You can still use any IP address you want as the NAT IP address to which you translate the LAN network 172.16.58.0/24

So again, I will have to know with what IP address will the network 172.16.58.0/24 be visible to the remote site? It will be the same IP address that you are configuring (or have configured) as the source network/IP in the L2L VPN configurations.

- Jouni