cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


274
Views
0
Helpful
7
Replies
Highlighted
Beginner

How to Nat this scenario

Hi All

I need you valuable suggestions for the below scenario

we are having a site 2 site vpn between ourself and client, our range is 10.4.0.0/16 to 10.33.1.0/24(client) vpn is up and running,

we are having a different brach site (10.3.0.0/16) and we are connected via MPLS circuit connected to our cisco router and cisco router to core netwrok the normal routing is working perfectly between our self and branch site.

Now I need to make 10.3.0.0/16 subnets to access the client subnet 10.33.1.0/24 using exsisiting vpn between ourself and client, is this possible using nat?

Many Thanks

Ven

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Mentor

Re: How to Nat this scenario

Hi,

I'm not 100% sure but it would seem to me that you will need to make modifications to your NAT0/NONAT configurations you just listed above.

Do you have some subnet on the 10.4.0.0/16 network that you could use as NAT address for the Branch network?

What I suggest trying if possible is to

  • Select a subnet from the whole 10.4.0.0/16 network that is not configured anywhere and therefore is not used by any devices
  • Configure this network to be used as NAT pool towards the Client site for your Branch network.

The Policy NAT rule for the Branch sites connection to the L2L VPN could look like this

access-list BRANCH-L2L-POLICY-NAT permit ip 10.3.0.0 255.255.0.0 10.33.1.0 255.255.255.0

global (outside) 100 10.4.255.1-10.4.255.253

global (outside) 100 10.4.255.254

nat (inside) 100 access-list BRANCH-L2L-POLICY-NAT

The above configuration should hopefully change the situation so that

  • When traffic matching the ACL, that is traffic from 10.3.0.0/16 heading to 10.33.1.0/24, reaches the firewall it will be natted to the Pool addresses mentioned above
  • Since the traffic is NATed to those addressess and the connections destination address is the remote Client network then the traffic should get forwarded to the L2L VPN connection without doing any changes to it

I havent had the chance to lab this myself so I cant guarantee it 100%. But it would be something that I would try if I was facing the situation that you are. Presuming you couldnt change L2L VPN rules which still in my opinion is a more cleaner solution to this.

Please let me know if you are going to try this and if so let me know how it went. Please rate if the information was helpful

- Jouni

7 REPLIES 7
Mentor

How to Nat this scenario

Hi,

So you have the following networks

  • 10.4.0.0/16 = Your Main Network
  • 10.3.0.0/16 = Your Branch Network
  • 10.33.1.0/24 = Client Network behind L2L VPN Connection

You say you want for the new Branch network to connect to the Client network.

This should be no problem if you do additions to the L2L VPN configurations between you and your client.

Or is your goal specifically to be able to include the Branch network to the L2L VPN connection wihtout having to change the L2L VPN settings with the remote end?

- Jouni

Beginner

Re: How to Nat this scenario

Hi Jouni

Thanks a lot for you reply

Yes the situation is we cant make any changes to L2L VPN, we are left with only option to make change internally and get this work

Mentor

Re: How to Nat this scenario

Do you currently do NAT0 for your whole Internal network of 10.4.0.0/16 towards the 10.33.1.0/24 network?

For example

access-list NAT0 permit ip 10.4.0.0 255.255.0.0 10.33.1.0 255.255.255.0

nat (inside) 0 access-list NAT0

EDIT: Also does your Branch network only need to connect the Client site? Does the Client site have any needs to initiate any connections towards your branch site?

- Jouni

Beginner

Re: How to Nat this scenario

No Jouni for vpn all we are doing is

access-list xxx extended permit ip 10.4.0.0 255.255.0.0 10.33.1.0 255.255.255.0
access list no nat ip 10.4.0.0 255.255.0.0 10.33.1.0 255.255.255.0

Branch network will access vpn to client and voice platform as it is hosted in main site

No there are servers in client side, so we and our branch office need to access

Mentor

Re: How to Nat this scenario

Hi,

I'm not 100% sure but it would seem to me that you will need to make modifications to your NAT0/NONAT configurations you just listed above.

Do you have some subnet on the 10.4.0.0/16 network that you could use as NAT address for the Branch network?

What I suggest trying if possible is to

  • Select a subnet from the whole 10.4.0.0/16 network that is not configured anywhere and therefore is not used by any devices
  • Configure this network to be used as NAT pool towards the Client site for your Branch network.

The Policy NAT rule for the Branch sites connection to the L2L VPN could look like this

access-list BRANCH-L2L-POLICY-NAT permit ip 10.3.0.0 255.255.0.0 10.33.1.0 255.255.255.0

global (outside) 100 10.4.255.1-10.4.255.253

global (outside) 100 10.4.255.254

nat (inside) 100 access-list BRANCH-L2L-POLICY-NAT

The above configuration should hopefully change the situation so that

  • When traffic matching the ACL, that is traffic from 10.3.0.0/16 heading to 10.33.1.0/24, reaches the firewall it will be natted to the Pool addresses mentioned above
  • Since the traffic is NATed to those addressess and the connections destination address is the remote Client network then the traffic should get forwarded to the L2L VPN connection without doing any changes to it

I havent had the chance to lab this myself so I cant guarantee it 100%. But it would be something that I would try if I was facing the situation that you are. Presuming you couldnt change L2L VPN rules which still in my opinion is a more cleaner solution to this.

Please let me know if you are going to try this and if so let me know how it went. Please rate if the information was helpful

- Jouni

Rising star

How to Nat this scenario

Hi Ven,

If I understood your requirement correct, adding the new networks to existing ACLs and static routing on Branch and 10.33.1.x end rours/ASA should work. We have similar setup in our environment.

access-list xxx extended permit ip 10.3.0.0 255.255.0.0 10.33.1.0 255.255.255.0

access list no nat ip 10.3.0.0 255.255.0.0 10.33.1.0 255.255.255.0

similar commands on 10.33.1.x end ASA as well.

You need static routes on branch and 10.33.1.x end (ex: on 10.33.1.x site : ip route 10.3.0.0 255.255.0.0 next hop to 10.4.0.0)

hth

MS

Mentor

Re: How to Nat this scenario

But making the above changes would naturally mean making changes to the actual L2L VPN configurations. While ofcourse the normal course to go through, in this case it seems the wish is to make no changes to configurations related to the L2L VPN connection. And this would be possibly evaded by using abit unusual NAT.

- Jouni