ā12-13-2016 11:20 AM - edited ā03-12-2019 01:39 AM
I am curious to know if the following two statements / Twice NAT rules are equivalent (accomplish/mean the same thing and function in the same way):
DmzHostA = a real host on the local DMZ segment
RemoteHostB = a real host on a remote network that accessed via an established VPN tunnel
#1) - nat (outside,dmz) source static RemoteHostB MappedIP-C destination static DmzHostA DmzHostA no-proxy-arp
"When RemoteHostB on a remote vpn connected network accesses DmzHostA on the DMZ network, translate address of RemoteHostB to MappedIP-C"
vs.
#2) - nat (dmz,outside) source static DmzHostA MappedIP-C destination static RemoteHostB RemoteHostB no-proxy-arp
"When host DmzHostA on the DMZ network accesses RemoteHostB on a remote vpn connected network, translate address of DmzHostA to MappedIP-C"
Would there be any differences between these with regards to defining interesting interesting crypto traffic? For example, would one use, respective to the above, the following ACL entries to define the interesting VPN traffic:
For #1) - access-list MyVPN extended permit ip DmzHostA RemoteHostB
For #2) access-list MyVPN extended permit MappedIP-C RemoteHostB
The reason for asking is that I see examples of configurations using the #2 method all the time but have come across an example using the #1 method and it 'seems' equivalent (as static nat is bidirectional) in a way but I was wondering if the #1 method affects traffic initiation and the ability to bring a tunnel up in any way.
Thanks.
ā12-13-2016 10:24 PM
In NAT #1 you are NATing the RemoteHostB which is across outside interface while in NAT #2 you are NATing DmzHostA which is behind the dmz interface. These NAT are not solving one purpose for sure, if thats what the question is.
Since this format is for bidirectional NAT, it can always be created in 2 ways - nat(x,y) and nat(y,x) provided we are using the same nating parameters.
In regards to crypto map, we need the interesting traffic - which means that the source and destination which will hit the ingress interface of the ASA. SO, that will be basically the ip header src and dst ip which is initiated by the sender.
Just keep in mind the format of the NAT statement and it should be easy:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_rules.html
Let me know if there are further questions.
-
AJ
ā12-14-2016 03:34 AM
Thank you for the response. It came to me during the overnight that I believe the 'equivalent' to #1 may be
nat (dmz,outside) source static DmzHostA DmzHostA destination static MappedIP-C RemoteHostB
Does this seem correct?
ā12-14-2016 03:49 AM
Yes, that is absolutely correct.
-
AJ
ā12-14-2016 12:47 PM
For the way #1 is written [nat (outside,dmz) .... ]
In addition to describing it as:
"When RemoteHostB on a remote vpn connected network accesses DmzHostA on the DMZ network, translate address of RemoteHostB to MappedIP-C"
Is it also correct to describe it as:
"When DMZHostA on the DMZ network accesses RemoteHostB on via remote vpn connected network, translate destination address of RemoteHostB to MappedIP-C" ?
And a proper crypto ACL for defining interesting traffic (initiating traffic to remote host and bringing up the tunnel) would be:
access-list MyVPN extended permit ip DmzHostA RemoteHostB ?
Still working out a small bit of understanding for the Crypto ACLs as there are instances where one uses the NAT IP addresses in the Crypto ACL rather than the Real IP addresses. See: (http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc10 - "Note: An ACL for VPN traffic uses the source and destination IP addresses after NAT.")
Thanks again.
ā12-15-2016 04:11 AM
Both the NAT description and the crypto acl that you have mentioned are correct.
The vpn acl needs to have the nated source and destination since the destination un-nat and source nat happens before the encryption happens.
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide