topic Policy NAT Assistance in Network Security

Policy NAT Assistance

pootboy69 — Mon, 11 Mar 2019 18:53:23 GMT

We have an ASA5510s which has a VPN to a remote client with networks of 192.168.61.0/24 and 192.168.62.0/24 (note that these are the actual network IP ranges and not used here to substitute for public IPs). One of our internal networks is 10.2.1.0/24. We used to include this in the VPN but the remote client's company has recently implemented 10.2.0.0/16 at their location and cannot readily change it.

I need to be able to NAT all of our 10.2.1.0/24 network into a single address, say 10.10.20.200, to be able to pass it on to the remote user. I have tentatively recommended:

access-list Internal_nat_outbound line 1 extended permit ip 10.2.1.0 255.255.255.0 host 10.10.20.200
nat (Internal) 1 access-list Internal_nat_outbound tcp 0 0 udp 0

Please advise if this will do what I need, based on the above explanation or if I'm missing something. This special application of NAT is new to me and I have no experience in doing it. Thanx!

Wolf

Re: Policy NAT Assistance

manish arora — Tue, 12 Oct 2010 17:14:38 GMT

follow this :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

see if this helps you.

Thanks

Manish

Re: Policy NAT Assistance

pootboy69 — Wed, 13 Oct 2010 14:40:42 GMT

Thank you for the suggested document! However, this does not solve the issue. I need to find a way to NAT our 10.2.1.0/24 network into a single 10.10.20.200 address with NAT overload. Thanx!

Re: Policy NAT Assistance

praprama — Wed, 13 Oct 2010 15:11:57 GMT

Hi,

The way you have suggested will not work. What you need to do is as below:

access-list Internal_nat_outbound line 1 extended permit ip 10.2.1.0 255.255.255.0 10.2.0.0 255.255.0.0

nat (Internal) 1 access-list Internal_nat_outbound

global (External) 1 10.10.20.200

Also, your crypto ACL should point from 10.10.20.200 -----> 10.2.0.0 255.255.0.0.

This should PAT if traffic is flowing according to the access-list Internal_nat_outbound. I have assumed here that "External" is the name of your outside interface. Let me know if this works.

Thanks and Regards,

Prapanch

Re: Policy NAT Assistance

pootboy69 — Wed, 13 Oct 2010 15:19:56 GMT

Thank you for your reply! However, there are two things I do not understand (I am new to ASA, having only worked with Juniper and Nokia firewalls in the past). Why is the access-list using the 16-bit network of 10.2.0.0 and how (and why) do I "point" the crypto ACL to it? There are two other networks currently defined in the current l2l IPsec tunnel. Thanx!

Re: Policy NAT Assistance

praprama — Wed, 13 Oct 2010 15:26:40 GMT

Hi,

I was under the impression based on the original post that the remote end network is a 10.2.0.0/16. Is that right?

If so, then the access-list for the NAT says that (when packet is going from 10.2.1.0/24 to 10.2.0.0/16 and is to be routed out the External interface, dynamically PAT (overload) the source IP addresses to the 10.10.20.200 IP address.

The crypto ACL has to be configured that way because the we need this to be encrypted and sent across the tunnel and hence it is from 10.2.1.0/24 -----> 10.10.20.200.

Hope that clears things!!

Thanks and Regards,

Prapanch

Re: Policy NAT Assistance

pootboy69 — Wed, 13 Oct 2010 15:54:35 GMT

Thank you and my apologies for not being clear enough. The current configuration for this VPN is:

object-group network LakerMN-NavMAD
description trusted networks from Laker MN to Navitus Madison
network-object 10.10.20.0 255.255.255.0
network-object 10.2.1.0 255.255.255.0
object-group network NavMAD-LakerMN
description Navitus IPs that can get to Laker MN
network-object 192.168.82.0 255.255.255.0
network-object 192.168.61.0 255.255.255.0
network-object 192.168.62.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0

access-list vpn-NavMD-Laker extended permit ip object-group LakerMN-NavMAD object-group NavMAD-LakerMN
access-list vpn-NavMD-Laker extended permit ip object-group NavMAD-LakerMN object-group LakerMN-NavMAD

I need to remove the line "network-object 10.2.1.0 255.255.255.0" in the "object-group network LakerMN-NavMAD" and replace it with the correct policy NAT to translate our 10.2.1.0/24 network into a single (NAT overload) address of 10.2.1.200. So, per your suggestion, using my ACL name for this VPN, is this correct and complete?:

access-list vpn-NavMD-Laker line 1 extended permit ip 10.2.1.0 255.255.255.0 10.2.0.0 255.255.0.0
nat (Internal) 1 access-list vpn-NavMD-Laker
global (External) 1 10.10.20.200

I genuinely appreciate your patience!! Thanx!

Wolf

Re: Policy NAT Assistance

praprama — Wed, 13 Oct 2010 16:32:12 GMT

Hi,

Well we have 2 options. If you are going to substitue the network 10.2.1.0/24 with the PAT IP address, the ACL that you will have then vpn-NavMD-Laker will be the crypto ACL. For the NAT, you will need another ACL from 10.2.1.0/24 to 10.2.0.0/16 and you can not use the same ACL in the nat as you have mentioned here.

Thanks and Regards,

Prapanch

Re: Policy NAT Assistance

pootboy69 — Wed, 13 Oct 2010 19:17:28 GMT

Thank you for the support and patience. I'll try this tomorrow.

Regards,

Wolf