04-06-2023 11:54 AM
GOAL: Configure NAT in ASA (OS version 9.x) so that two LAN VPN devices can erect tunnels to one remote www VPN endpoint.
GIVEN: ASA Outside interface= 1.1.1.1 , remote www VPN endpoint= 2.2.2.2
CONFIGURATION:
object network VPN-DEVICES-LOCAL
ip address 172.16.2.2 255.255.255.255
ip address 172.16.9.2 255.255.255.255
nat (Inside,Outside) source static VPN-DEVICES-LOCAL 1.1.1.1 destination static 2.2.2.2 2.2.2.2
QUESTIONS:
1. Is the above configuration correct? If not, may you please show the correct configuration?
2. The outside interface IP-address is used as egress IP for many LAN device translations. Does the ASA actually use a NAT overload technology here?-- When the LAN tunneling device communication exist the ASA egress interface, does ths ASA map a unique port to this specific traffic, so that the return traffic will route to the specific LAN IP-address of the initiating device?
Thank you!
Solved! Go to Solution.
04-06-2023 11:58 AM - edited 04-06-2023 12:29 PM
@jmaxwellUSAF if 1.1.1.1 is the outside interface IP address and you want that to be the translated address you must use "interface" in the NAT configuration.
nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2
04-06-2023 11:58 AM - edited 04-06-2023 12:29 PM
@jmaxwellUSAF if 1.1.1.1 is the outside interface IP address and you want that to be the translated address you must use "interface" in the NAT configuration.
nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2
04-06-2023 12:25 PM
Thank you Rob.
May you please answer...
2. The outside interface is used as egress IP for many LAN device translations. Does the ASA actually use a NAT overload technology here?-- When the LAN tunneling device communication exist the ASA egress interface, does ths ASA map a unique port to this specific traffic, so that the return traffic will route to the specific LAN IP-address of the initiating device?
04-06-2023 12:33 PM
@jmaxwellUSAF yes, it uses PAT hiding the real IP address behind the outside IP address of the ASA, return traffic will route to the specific IP address of the initiating device.
04-06-2023 12:43 PM - edited 04-06-2023 12:46 PM
Hello Rob.
GIVEN: ASA Outside interface= 1.1.1.1 , remote www VPN endpoint= 2.2.2.2
I just noticed you swapped out "static" to "dynamic"...
"nat (Inside,Outside) source dynamic VPN-DEVICES-LOCAL interface destination static 2.2.2.2 2.2.2.2"
For a while I have been confused with ASA logic vs Cisco IOS. I thought the ASA used the word "static" for NAT overload.
QUESTIONS:
In your config, does "interface" tell the ASA to use 1.1.1.1 for the outgoing source address?
Does this config make sense for the intent: 2 local devices erect a permanent VPN to a www remote VPN endpoint?
Thank you.
04-06-2023 12:47 PM
@jmaxwellUSAF "interface" tells the ASA to use the egress interface IP address.
FYI, NAT logic is as follows:-
nat (SRCINT,DSTINT) source dynamic|static REAL-SRC TRANSLATED-SRC destination static REAL-DST TRANSLATED-DST
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide