topic Re: Reverse NAT on the ASA? in Network Security

Reverse NAT on the ASA?

jspradli — Mon, 11 Mar 2019 17:51:06 GMT

Hello all,

I have a VPN with a vendor, but he's using the same inside networks that I am, and he apparently can't NAT on his side so I'm trying to setup dynamic NAT for his incoming and outgoing traffic on the tunnel.

This is the config I've come up with; can you let me know if this will work (see below picture)?

object-group network vendor-inside
network-object host 10.80.208.243
network-object host 10.80.88.47

access-list outside_470_cryptomap line 1 remark Vendor VPN Tunnel traffic
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

Re: Reverse NAT on the ASA?

Federico Coto Fajardo — Thu, 27 May 2010 11:33:47 GMT

Hi,

The configuration seems fine.

I think that when you do outside NAT:

nat (external) 3 access-list outside_470_cryptomap

You do:

nat (external) 3 access-list outside_470_cryptomap outside

Let us know if you have any problems.

Federico.

Re: Reverse NAT on the ASA?

DimonRonD — Thu, 03 Jun 2010 09:17:33 GMT

Hello!

I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?

Re: Reverse NAT on the ASA?

Federico Coto Fajardo — Thu, 03 Jun 2010 13:55:22 GMT

You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?

So you're saying:
access-list outside_470_cryptomap line 2 extended permit ip 10.0.2.176 255.255.255.240 object-group vendor-inside
nat (external) 3 access-list outside_470_cryptomap
global (internal) 3 10.80.179.113-10.80.179.126 netmask 255.255.255.240

If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?

Federico.

Re: Reverse NAT on the ASA?

DimonRonD — Fri, 04 Jun 2010 05:57:11 GMT

coto.fusionet wrote:

You're trying to NAT the remote 10.0.2.176/28 when coming to your object-group vendor-inside correct?

If you're coming from computer 10.0.2.x, can you try a ''sh xlate'' and see if you get translations for that host?

Federico.

Well, I try "sh xlate" and have no translations on this nat rule. I watch "sh nat" and no hits on this rule (translate_hits = 0, untranslate_hits = 0).

Same rule on this ASA for external real IP's coming to another host works properly. This rule from L2L-IPSEC to inside not works. I use WireShark and see packets from real IP, NAT not work.

Why this NAT normally work from outside to inside and not work from IPSEC to inside?

Re: Reverse NAT on the ASA?

Federico Coto Fajardo — Fri, 04 Jun 2010 16:05:06 GMT

NAT works for non-encrypted traffic from outside to inside?
NAT does not work for encrypted traffic from outside to inside?

NAT should work for either unencrypted or encrypted traffic.
Could you post just your current NAT rule for both scenarios?

Federico.

Re: Reverse NAT on the ASA?

DimonRonD — Mon, 07 Jun 2010 06:04:03 GMT

NAT works for non-encrypted traffic from outside to inside?

Yes

NAT does not work for encrypted traffic from outside to inside?

Yes

NAT should work for either unencrypted or encrypted traffic.

Should be, yes. But, not work.

This is nat rule for enctipted traffic. Integrator comes through IPSEC from outside and goes to inside. Nat not worked:

access-list Integrator2Local extended permit ip host 192.168.1.23 10.10.1.0 255.255.255.0
global (inside) 3 10.10.0.3-10.10.0.14 netmask 255.255.255.240
nat (outside) 3 access-list Integrator2Local outside

I need translate host 192.168.1.23, when this host send packet in network 10.10.1.0/24 translate in address 10.10.0.3

Same rule (except trafic goes in DMZ) but I think, this is not matter. This rule work good:
access-list REALHOSTS extended permit ip any host 19.17.9.26
global (DMZ) 2 10.20.20.128-10.20.20.254 netmask 255.255.255.128
nat (outside) 2 access-list REALHOSTS outside

In this rule I need translate any real address, comes on host 19.17.9.26 to network 10.20.20.128/25

Re: Reverse NAT on the ASA?

jspradli — Mon, 07 Jun 2010 20:47:02 GMT

DimonRonD wrote:
Hello!
I have connect partners company through L2L-IPSEC. I try use reverse NAT, like in that example to NAT partner's addresses in my private network. But no one hits exists in NAT. What wrong?
Hi DimonRonD,
Not sure about your setup, but mine was backwards:
I had:
access-list LUXATLASA01e_470_cryptomap extended permit ip 10.0.2.176 255.255.255.240 object-group Vendor-inside
It should be:
access-list LUXATLASA01e_cryptomap_470 extended permit ip 10.80.0.0 255.255.0.0 10.0.2.176 255.255.255.240
Also had to add:
access-list LUXATLASA01i_nat0_outbound extended permit ip object-group Vendor-inside 10.0.2.176 255.255.255.240
I highly recommend opening a ticket with TAC for configuration assistance so they can help you understand the config.  If they can teach me, they can teach anyone!'

Re: Reverse NAT on the ASA?

jspradli — Mon, 07 Jun 2010 20:48:00 GMT

Thanks for the reply; see above for corrected config.