Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
2
Replies

ASA 8.2 multiple nat statements?

Go to solution
3moloz123
Level 1
Level 1

‎06-13-2013 02:25 AM - edited ‎03-11-2019 06:57 PM

Hi,

I would like to config "when host X on vlanX goes to a network that is across an ipsec tunnel, for which vlanX network is not in the encryption domains, translate host X address to that of the asa in a network that is part of the crypto domain".

Interface vlan544 (172.16.80.0/24) is the local encryption domain, and 10.1.0.0/29 holds some monitoring servers that should not be part of the encryption domain, but rather get it's source address translated to that of the firewall in 172.16.80.0/24. Here's how I did:

# Vlan522 for 10.1.0.0/29, need to somehow have a specific nat here I guess that falls between the no nat and the generic "nat the rest to the global)

nat (vlan522) 0 access-list vlan522_nat0_outbound

nat (vlan522) 1 0.0.0.0 0.0.0.0

# Next, I defined an ACL to match the source network (10.1.0.0/29) with the remote encryption domain (172.18.0.0/24):

access-list prtg-to-slott-net extended permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0

# Removing the global nat on vlan522:

no nat (vlan522) 1 0.0.0.0 0.0.0.0

# Set up the newly defined access-list as nat entry 1 instead

nat (vlan522) 1 access-list prtg-to-slott-net

# Re-adding the catch all nat but this time as rule number #2

nat (vlan522) 2 0.0.0.0 0.0.0.0

This obviously didn't work, the second (number 2) rule is never hit. What am I doing wrong?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-13-2013 02:48 AM

Hi,

I got a bit confused reading that

So did I understand correctly that the situation is the following

  • You have existing L2L VPN connection configured between 1 local network and 1 remote network
  • You would want to configure a second local network to be able to use the L2L VPN connection without changing the L2L VPN configurations?

In this case you should probably do the following

  • Determine a free IP address that is not used in the original local network that is part of the L2L VPN currently
  • Configure a Dynamic Policy PAT for it

access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0

global (outside) 100 172.16.80.254

nat (vlan522) 100 access-list L2LVPN-POLICYPAT

There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA

packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389

The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-13-2013 02:48 AM

Hi,

I got a bit confused reading that

So did I understand correctly that the situation is the following

  • You have existing L2L VPN connection configured between 1 local network and 1 remote network
  • You would want to configure a second local network to be able to use the L2L VPN connection without changing the L2L VPN configurations?

In this case you should probably do the following

  • Determine a free IP address that is not used in the original local network that is part of the L2L VPN currently
  • Configure a Dynamic Policy PAT for it

access-list L2LVPN-POLICYPAT permit ip 10.1.0.0 255.255.255.248 172.18.0.0 255.255.255.0

global (outside) 100 172.16.80.254

nat (vlan522) 100 access-list L2LVPN-POLICYPAT

There is ofcourse a chance that some existing NAT configuration makes this one useless but for that we have "packet-tracer" command to determine which configurations are hit when the traffic arrives to the ASA

packet-tracer intput vlan522 tcp 10.1.0.2 12345 172.18.0.100 3389

The port and IP address values I used are random and can be pretty much anything. Ofcourse the mentioned traffic needs to be allowed in the interface ACL or the "packet-tracer" hits and ACCESS-LIST DROP.

- Jouni

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to Jouni Forss

‎06-13-2013 02:58 AM

Jouni, you're really picking my questions and answering them one by one. You provide good short explanation, I now see the connection between the nat (int) VALUE and global (int) VALUE.

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card