topic Policy NAT for AH/ESP and tcp in Network Security

Policy NAT for AH/ESP and tcp

geraghtyconor — Mon, 11 Mar 2019 23:31:15 GMT

Hello all,

is it possible to policy NAT for AH/ESP and tcp on the same single IP address (two different protocol types)?

Objective = pass an IPSEC VPN through (not terminate) an ASA 5500 and share that public with another circuit.

i.e.

static (inside,outside) tcp 1.2.3.4 25 172.20.1.1 8080 netmask 255.255.255.255

!NAT anything arriving on my public 1.2.3.4 with dst port 25 to 172.20.1.1 port 8080 inside my LAN

static (inside,outside) AH 1.2.3.4 172.20.1.2 AH netmask 255.255.255.255

static (inside,outside) ESP 1.2.3.4 172.20.1.2 ESP netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4 500 172.20.1.2 500 netmask 255.255.255.255

static (inside,outside) udp 1.2.3.4 4500 172.20.1.2 4500 netmask 255.255.255.255

!Pass an IPSEC tunnel through firewall to termination point 172.20.1.2 = 1.2.3.4 can be used for two circuits.

Thank you in advance.

Policy NAT for AH/ESP and tcp

geraghtyconor — Mon, 16 Jul 2012 14:57:36 GMT

I.e. I want to use one of my Public facing IP addresses to accept two circuits for static NAT

1 To NAT an IPSEC circuit to a IPSEC termination device on my private LAN (AH, ESP, udp 500 and udp 4500)

2: To NAT a tcp circuit to a different device on my private network.

Or;

Can the ASA 5500 policy NAT the above on one IP address on my outside interface to two inside devices (tcp traffic to device A and IPSEC traffic to device B) ???

Policy NAT for AH/ESP and tcp

nkarthikeyan — Mon, 16 Jul 2012 16:08:22 GMT

I suggest you to use Access-list based policy nat to achive your 1st query. Please clarify me if your requirement is something else.

Policy NAT for AH/ESP and tcp

geraghtyconor — Tue, 17 Jul 2012 07:18:15 GMT

I want to use 1 public IP address NATTed to 2 internal private IP addresses.

1: NAT an IPSEC circuit terminating on 172.20.1.2 and appears as 1.2.3.4 on the Internet

2: NAT a tcp circuit to 172.20.1.1 8080 for traffic arriving on 1.2.3.4 on port 25.

!Like this??

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500 host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

static (inside,outside) 1.2.3.4 access-list policyNAT-share

Policy NAT for AH/ESP and tcp

nkarthikeyan — Tue, 17 Jul 2012 07:48:13 GMT

Hi ,

Yes you can have the ACL like that i suggest you can go for PAT.

nat (inside) 1 access-list policyNAT-share

global (outside) 1 1.2.3.4

so all the traffic matches the acl rule will get translated accordingly.

like the above and it should work then. Please try that let me know if that works or not.

Please do rating if the given info helps you.

Karthik

Policy NAT for AH/ESP and tcp

geraghtyconor — Tue, 17 Jul 2012 10:12:29 GMT

!I have used global (outside) 1 and 2 already. This is what I was thinking.

access-list policyNAT-share extended permit AH host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit ESP host 172.20.1.2 host 1.2.3.4

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 500 host 1.2.3.4 eq 500

access-list policyNAT-share extended permit UDP host 172.20.1.2 eq 4500 host 1.2.3.4 eq 4500

!And the other circuit

access-list policyNAT-share extended permit tcp host 172.20.1.1 eq 8080 host 1.2.3.4 eq 25

nat (inside) 3 access-list policyNAT-share

global (outside) 3 1.2.3.4 netmask 255.255.255.255

!??????

Policy NAT for AH/ESP and tcp

nkarthikeyan — Tue, 17 Jul 2012 11:11:57 GMT

yes... you can make any number subjected to your present configuration.

Please do rating if the given info helps.

Karthik

Policy NAT for AH/ESP and tcp

nkarthikeyan — Fri, 20 Jul 2012 03:21:45 GMT

Thanks Gera for your rating. Assuming that works for you.

Regards

Karthik