ASA 5510 VPN Lan IP allocation

unrealone1 · ‎12-19-2013

Hi ALL,

We recently had a VPN setup between CompanyA and CompanyB

We’ve had a bit of a shakeup of development servers and the IP address that was configured for the tunnel has changed.

Because we can have multiple IP’s that are now initiating requests we need a way to make everything appear as a single IP.

After speaking to Rackspace they are intending to NAT every server to a single IP in the firewall, only for that tunnel.

The hosts that we have currently that are trying to connect are:

192.168.1.214

192.168.1.215

192.168.1.216

192.168.1.217

Can we use one of these IP addresses and have the rules setup on the firewall or is it best to use a new one?

malshbou · ‎12-19-2013

Hi,

You should pat them to one IP and configure it as an interesting traffic of the tunnel. I assume that there IPs will only initiate traffic.

You may use the followign:

object network LOCAL-HOSTS

host 192.168.1.214

host 192.168.1.215

host 192.168.1.216

host 192.168.1.217

nat (ingress-ifc, egress-ifc) dynamic

HTH

----
Mashal Shboul

------------------ Mashal Shboul

unrealone1 · ‎12-31-2013

Thanks for your reponse, I am using the ASDM.

Can you give me instructions on how to do it on there?

Jouni Forss · ‎12-31-2013

Hi,

Are the addresses 192.168.1.x located at the remote network (Rackspace) or are they the hosts on your side that need to be Dynamic PATed to a single IP address?

Are you saying that there is a single IP address configured on the L2L VPN as the source address for your side? If this is true then you can naturally Dynamic PAT the mentioned 4 IP addresses to that PAT IP address.

I dont personally use ASDM at all to configure NAT or ACL.

Could you perhaps share you current configuration (except any sensitive information). Your ASAs software level will also play a role in the NAT configuration

Software level 8.2 (and lower)

access-list POLICY-PAT permit ip host 192.168.1.214

access-list POLICY-PAT permit ip host 192.168.1.215

access-list POLICY-PAT permit ip host 192.168.1.216

access-list POLICY-PAT permit ip host 192.168.1.217

nat (inside) 100 access-list POLICY-PAT

global (outside) 100 x.x.x.x

Where the x.x.x.x is the PAT IP address which is configured as your source for the L2L VPN. In the ACL you have to tell the remote host(s) and/or networks to which you connect for each of your source host for the NAT configuration to work properly for all users.

Software level 8.3 (and above)

object-group network SOURCE

network-object host 192.168.1.214

network-object host 192.168.1.215

network-object host 192.168.1.216

network-object host 192.168.1.217

object-group network DESTINATION

network-object

network-object host

object network L2L-VPN-PAT-IP

host x.x.x.x

nat (inside,outside) source dynamic SOURCE L2L-VPN-PAT-IP destination static DESTINATION DESTINATION

In the above the first "object-group" specifies the source addresses for the NAT configuration. The second "object-group" can be used to tell the destination addresses on the remote end of the L2L VPN for which this NAT configuration should apply to. The "object" is supposed to contain the PAT IP address with which your traffic to the remote site should show up as.

Finally the actual "nat" configuration that does a Dynamic Policy PAT. In other words, a NAT configuration that PATs traffic to a certain IP address for specific destination IPs

Hope this helps

- Jouni

unrealone1 · ‎12-31-2013

Thanks for your response:

It is ASA 8.2(5)

ASDM 6.4(5)

unrealone1 · ‎01-03-2014

Ok I'll have to telnet into the 5510 rather than use ASDM.

Yes, the addresses 192.168.1.x are located on our side and need to be seen as a single IP address.

So what is lines of code should I use for this?

Julio Carvajal · ‎01-03-2014

Hello it should be

access-list NAT_VPN permit ip host 192.168.1.214 x.x.x.x y.y.y.y

access-list NAT_VPN permit ip host 192.168.1.215 x.x.x.x y.y.y.y

access-list NAT_VPN permit ip host 192.168.1.216 x.x.x.x y.y.y.y

access-list NAT_VPN permit ip host 192.168.1.217 x.x.x.x y.y.y.y

(where x.x.x.x is the other side subnet and y.y.y.y is the netmask)

nat (inside) 10 access-list NAT_VPN

global (outside) 10 192.168.1.X (whatever you want these IP addresses to look like

Notes:

If you already configure the NAT 0 rule remember to remove the VPN traffic from it.

Remember to change the Crypto ACL for the VPN so now it should look like

access-list crypto acl permit ip 192.168.1.x (PAT IP addresss) x.x.x.x y.y.y.y

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

unrealone1 · ‎01-06-2014

Thanks for this, but I thought I had to PAT the devices?

Jouni Forss · ‎01-06-2014

Hi,

I provided the CLI format configurations needed depending on what software level you are running.

To give you a configuration that would work in your exact ASA setup we would have to see the CLI format configuration.

This was the example that applied to your software level