ASA 9+ - Twice NAT

Private Private · ‎12-13-2016

I am curious to know if the following two statements / Twice NAT rules are equivalent (accomplish/mean the same thing and function in the same way):

DmzHostA = a real host on the local DMZ segment

RemoteHostB = a real host on a remote network that accessed via an established VPN tunnel

#1) - nat (outside,dmz) source static RemoteHostB MappedIP-C destination static DmzHostA DmzHostA no-proxy-arp

"When RemoteHostB on a remote vpn connected network accesses DmzHostA on the DMZ network, translate address of RemoteHostB to MappedIP-C"

vs.

#2) - nat (dmz,outside) source static DmzHostA MappedIP-C destination static RemoteHostB RemoteHostB no-proxy-arp

"When host DmzHostA on the DMZ network accesses RemoteHostB on a remote vpn connected network, translate address of DmzHostA to MappedIP-C"

Would there be any differences between these with regards to defining interesting interesting crypto traffic? For example, would one use, respective to the above, the following ACL entries to define the interesting VPN traffic:

For #1) - access-list MyVPN extended permit ip DmzHostA RemoteHostB

For #2) access-list MyVPN extended permit MappedIP-C RemoteHostB

The reason for asking is that I see examples of configurations using the #2 method all the time but have come across an example using the #1 method and it 'seems' equivalent (as static nat is bidirectional) in a way but I was wondering if the #1 method affects traffic initiation and the ability to bring a tunnel up in any way.

Thanks.

Ajay Saini · ‎12-13-2016

In NAT #1 you are NATing the RemoteHostB which is across outside interface while in NAT #2 you are NATing DmzHostA which is behind the dmz interface. These NAT are not solving one purpose for sure, if thats what the question is.

Since this format is for bidirectional NAT, it can always be created in 2 ways - nat(x,y) and nat(y,x) provided we are using the same nating parameters.

In regards to crypto map, we need the interesting traffic - which means that the source and destination which will hit the ingress interface of the ASA. SO, that will be basically the ip header src and dst ip which is initiated by the sender.

Just keep in mind the format of the NAT statement and it should be easy:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html

Let me know if there are further questions.

-

AJ

Private Private · ‎12-14-2016

Thank you for the response. It came to me during the overnight that I believe the 'equivalent' to #1 may be

nat (dmz,outside) source static DmzHostA DmzHostA destination static MappedIP-C RemoteHostB

Does this seem correct?

Ajay Saini · ‎12-14-2016

Yes, that is absolutely correct.

-

AJ

Private Private · ‎12-14-2016

For the way #1 is written [nat (outside,dmz) .... ]

In addition to describing it as:

"When RemoteHostB on a remote vpn connected network accesses DmzHostA on the DMZ network, translate address of RemoteHostB to MappedIP-C"

Is it also correct to describe it as:

"When DMZHostA on the DMZ network accesses RemoteHostB on via remote vpn connected network, translate destination address of RemoteHostB to MappedIP-C" ?

And a proper crypto ACL for defining interesting traffic (initiating traffic to remote host and bringing up the tunnel) would be:

access-list MyVPN extended permit ip DmzHostA RemoteHostB ?

Still working out a small bit of understanding for the Crypto ACLs as there are instances where one uses the NAT IP addresses in the Crypto ACL rather than the Real IP addresses. See: (http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc10 - "Note: An ACL for VPN traffic uses the source and destination IP addresses after NAT.")

Thanks again.

Ajay Saini · ‎12-15-2016

Both the NAT description and the crypto acl that you have mentioned are correct.

The vpn acl needs to have the nated source and destination since the destination un-nat and source nat happens before the encryption happens.

-

AJ