topic Re: NAT a remote IP address in Network Security

NAT a remote IP address

william-espana — Mon, 11 Mar 2019 19:23:07 GMT

Hello,

I need to be able to access a remote server (connected via site-to-site VPN) at a different address.

Here is the scenario

ASA5520 with 4 Interfaces

inside (172.30.x.x)
outside (74.x.x.x) Public Address
Net1 (162.x.x.x) Public Address but on an Intranet (not routerd on the Internet)
Net2 (172.21.x.x)

VPN3000 concentrator

on this, I have an IPSEC vpn with the a remote network of 192.168.x.x

I need users on the 162.x.x.x intranet to access a server on the 192.168.x.x server, using a 162.x.x.x address that I have available on my 162.xxx subnet.

Thank you in advance for your help.

Re: NAT a remote IP address

Jennifer Halim — Thu, 16 Dec 2010 08:45:45 GMT

Firstly, please share a topology diagram to understand how the VPN Concentrator is actually connected to the ASA.

Is the VPN Concentrator behind or in front of the ASA?

Re: NAT a remote IP address

william-espana — Thu, 16 Dec 2010 15:05:49 GMT

Thank you for your response.

Attached is a basic network diagram.

I currently have a couple of servers on the DMZ vlan (9) 172.12.0/24 natted to 162.x.x.x IP addresses.

However, now I need a server which is on the remote site to site vpn at 192.168.x.x natted so people on the 162.x.x.x intranet can access that web server, using a 162.x.x.x IP address.

Thank you,

Will.

Re: NAT a remote IP address

Jennifer Halim — Fri, 17 Dec 2010 11:51:19 GMT

Sorry, I don't quite understand your topology. Which device is actually performing the NAT?

Can you share your ASA configuration please. Thanks.

Re: NAT a remote IP address

william-espana — Fri, 24 Dec 2010 00:15:45 GMT

Thank you for your reply, I hope this explains my situation:

Here is my situation:

I have an intranet that I connect to on the 152.x.x.x network. 
(It is a public address range, but it is not routed to the Internet).  
A router that I do not control is used to access this intranet, with an IP address of 152.73.41.45
 (not the actual IP range)

I placed a router on the intranet to be able to host servers on the 152.0.0.x intranet.I have a couple of web servers that I publish to the 152.x.x.x network, through an ASA which has an inside IP address of 172.22.0.2. There are one to one nat statements that translate from the 152.x.x.x to the 172.21.12.X network.

Here is what I need to do:

On my VPN 3000 there is a site to site IP sec VPN that connects me to a 192.168.60.x network.

I need the users on the 152.x.x.x network to access a web server that is on the 192.168.60.x network.

I do have an available IP address (152.73.41.156) that I can use, but I don’t know how to do this on the router.

I tried the IP nat inside source, but I couldn’t get it to work.

This router has the following Interfaces:

VLAN 22

interface FastEthernet0/0

ip address 172.22.0.5 255.255.255.0

ip nat inside

duplex auto

speed auto

VLAN 152

interface FastEthernet0/1

ip address 152.73.41.147 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

no cdp enable

This is the route on this router to the 192.168.x.x network

ip route 192.168.0.0 255.255.0.0 172.22.0.13

The ASA, although I don’t think has anything to do in this situation is as follows:

ASA 5520

VLAN 152

interface GigabitEthernet0/2.152

vlan 162

nameif IntraNet

security-level 10

ip address 152.73.41.146 255.255.255.240

VLAN 22

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.22.0.2 255.255.255.0

VLAN 21

interface GigabitEthernet0/2.9

vlan 9

nameif DMZ

security-level 40

ip address 172.21.12.1 255.255.255.0

The final piece is a VPN 3000 concentrator. This concentrator has 3 interfaces:

Private 172.22.0.13

Public (public Ip address to the Internet)

External 152.73.41.152

What do I need to do to allow users on the 152.x.x.x intranet to access a web server which is on the 192.168.x.x network (over an IP Sec VPN) using an IP address of 152.73.41.156?

Thank you all for your help.

Re: NAT a remote IP address

Jennifer Halim — Fri, 24 Dec 2010 03:22:00 GMT

Sorry, do you want to NAT the remote server ip to 152.73.41.156? or do you want to PAT the users ip address (152.x.x.x network) to 152.73.41.156?

Why do you need to NAT?

Do you need to NAT? just trying to understand why you can't access the remote server from the 152.x.x.x network without NAT?

Also, what is the crypto ACL configured on the vpn concentrator for the site-to-site tunnel to the remote end? What is the local subnet and what is the remote subnet configured?

Sorry, I just want to understand if there is a requirement to NAT or you think that NAT is the only way to access the remote web server. And also need confirmation on which ip address you need to NAT to 152.73.41.156?

Re: NAT a remote IP address

Jennifer Halim — Fri, 24 Dec 2010 03:23:07 GMT

Also, what is the default gateway of users in 152.x.x.x network?

Re: NAT a remote IP address

william-espana — Fri, 24 Dec 2010 04:12:17 GMT

OK, everyone that is on the 152.73.x.x Intranet (which I don't have any control over) can access my 152.73.41.144/28 subnet though a router with an IP address of 172.73.41.145.

I placed my own router on this network, which is the router I mentioned with the following interfaces:

VLAN 22

interface FastEthernet0/0

ip address 172.22.0.5 255.255.255.0

ip nat inside

duplex auto

speed auto

VLAN 152

interface FastEthernet0/1

ip address 152.73.41.147 255.255.255.240

ip access-group 101 in

ip nat outside

duplex auto

speed auto

no cdp enable

Keep in mind that all of the users that are on the 152.73.x.x network, (about 100 sites) can only access IP addresses on 152.73.x.x. I need all of those users to access the server which is on a site to site VPN with an IP address of 192.168.60.x network.

So I figured since all the intranet users can only access 152.73.x.x IP addresses, I need to use one of my 152.73.41.x IP addresses and translate it to the remote server of 192.168.60.100

My available IP address is 152.73.41.156.

As far as the concentrator goes, here are the defined local and remote nets

Local to remote

172.21.10.0/0.0.0.255
152.73.41.144/0.0.0.15
172.21.11.0/0.0.0.255

Remote to local

192.168.60.0/0.0.0.255

So, Since I cannot access the main 152.73.44.144 router (and they will not route to a 192.168.60.x network, I need to publish the above mentioned web server that has an IP address of 192.168.60.100 on the 152.73.x.x network and use the IP address of 152.73.41.156.

Hope this answers your questions.

Thanks again for your help.

Re: NAT a remote IP address

Jennifer Halim — Wed, 29 Dec 2010 11:52:45 GMT

Great thanks, it makes sense now.

On the router, you can configure the following:

ip nat inside source static 192.168.60.100 152.73.41.156

It's static 1:1 NAT, and it will translate 192.168.60.100 to 152.73.41.156.

Re: NAT a remote IP address

william-espana — Thu, 30 Dec 2010 16:09:23 GMT

Jennifer,

Thank you very much for your help.

I tried that NAT entry, but users that come in on the 152.x.x.x network are still not able to reach the server.

Is there anything else I should look for?

Again, thank you for your help.

Re: NAT a remote IP address

Kureli Sankar — Thu, 30 Dec 2010 23:20:39 GMT

Does your access-list 101 allow traffic to this 152.73.41.156 address?

If not pls. add it.

If this doesn't work then pls provide the following output.

sh run | nat

sh access-l 101

If there is an acl associated with nat we need to see that acl as well.

-KS