topic Re: NAT help with ASA 5520 in Network Security

NAT help with ASA 5520

whiteford — Mon, 11 Mar 2019 14:28:11 GMT

Hi,

I have a VPN to an external company. This VPN is connected to the ASA's outside interface and they just need to access VLAN which is connected to the ASA - all works. This VLAN they connect to is on a Cisco 3750 switch which is simply connecte to one of the gigabit ports on the ASA.

This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1, they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?

My server is

Re: NAT help with ASA 5520

JORGE RODRIGUEZ — Sun, 21 Dec 2008 16:18:07 GMT

This external company connects to the VLAN IP range of 172.29.x.x/16, now in my LAN I have a monitoring server on 192.168.12.91 that needs to ping a server on their LAN which is 10.10.1.1,they already have a server on 192.168.12.91 so how can I NAT this IP to say a 172.29.x.x ip?

If I understand correctly , you have a server on the inside as 192.168.12.91 and needs to connect to 10.10.1.1 server on other side, but they do also have a server with ip of 192.168.12.91, you can nat 192.168.12.91 in your LAN for it to appear as 172.29.x.x address through that tunnel by using Policy nat

Follow this example.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

on your side ASA, you can do something similar to example above in link

access-list new extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0

access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0

static (inside,outside) 172.29.x.x access-list policy-nat

Re: NAT help with ASA 5520

whiteford — Sun, 21 Dec 2008 17:21:04 GMT

Hi,

I have not used a policy NAT before, are they dynamic and only used when needed?

I noticed you have to create a new access list:

access-list "new", do I have to create a new name or can I use an existing one? I'm just not sure if it will mess things up or not.

They current ones I have are:

access-list outside_access_in

access-list inside_access_in

access-list DMZ_access_in

access-list inside_outbound_nat0_acl

access-list DMZ6_access_in - this is the 172.29.x.x vlan

Re: NAT help with ASA 5520

JORGE RODRIGUEZ — Sun, 21 Dec 2008 18:39:53 GMT

I have not used a policy NAT before, are they dynamic and only used when needed?

Generally when you have overlapping networks you can use Policy nat, and it seems from your description there is overlapping networks.

To be clear where is 192.168.12.91 host? is it on the inside or DMZ, is important becuase policy nat needs to be correct in terms of where will

it policy nat against

the address you use to nat 192.168.12.91 does not necessarily have to be a 172.29.x.x address,

it could be any other address as long it does not overlap on the other end.

You don't have to create a new acl, use the same u are using for that l2l tunnel, you can use your currect ant exempt access list inside_outbound_nat0_acl which maps to your crypto acl

add another line in your nat exempt acl of this tunnel.

e.i

access-list inside_outbound_nat0_acl extended permit ip 172.29.x.x 255.255.255.0 10.10.1.1 255.255.255.0

access-list policy-nat extended permit ip 192.168.12.91 255.255.255.0 10.10.1.1 255.255.255.0

static (interface_where_192.168.12.91_resides,outside) 172.29.x.x access-list policy-nat

Always..always backup your configuration in text format.

could you post the config to get a picture of your l2l cls.

Regards

Re: NAT help with ASA 5520

whiteford — Sun, 21 Dec 2008 19:06:14 GMT

Hi, the 192.168.12.91 host is on my LAN (inside). This VPN to this external company has the 172.29.x.x/16 subnet allowed only through this SA's, so I thought it I NAT the 192.168.12.91 IP to that range there is less to configure on the phase 2 IPSec that is working.

This is what I found:

access-list outside_2_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0

access-list outside_access_in extended permit icmp object-group 10.10.1.0 object-group 172.29.0.0 echo-reply

access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0

access-list DMZ_access_in extended permit icmp object-group 172.29.0.0 object-group 10.10.1.0 echo-reply

Re: NAT help with ASA 5520

JORGE RODRIGUEZ — Sun, 21 Dec 2008 19:59:54 GMT

so you are already using 172.29.0.0/16 to nat any inside hosts using this 172.29.0.0 network..

not to get confused please post the complete config to see the flow of your nat exempt and global statement .. before suggesting fruther.

Re: NAT help with ASA 5520

whiteford — Sun, 21 Dec 2008 20:17:46 GMT

Hi, I will need to spend some time editing my config for security reasons, but will do, unless you can state the sections you need.

For my understanding you say I am using 172.29.0.0/16 to nat any inside address, what part of the config does that? This NAT exempt rule access-list inside_outbound_nat0_acl extended permit ip 172.29.0.0 255.255.0.0 10.10.1.0 255.255.255.0