ASA with twice NAT on outside interface

Pavel Pokorny · ‎06-01-2016

Dear all,

I have question.

Situation:

ASA1 - ip address 1.2.3.4 (internet routable)

ASA2 - ip address 192.168.1.1 (RFC1918) and NATed 2.2.3.4

Address 2.2.3.4 is routed from internet to address 192.168.1.1.

I want to make ipsec tunnel between those two ASA.

But because ASA2 has RFC1918 address I need to make a NAT for routable address.

What I would like to achieve is: when comes packet from ASA1 (1.2.3.4) to 2.2.3.4, ASA2 makes NAT that : 2.2.3.4 = 192.168.1.1. Is it possible? Because this all is on outside interface.

So making some of static or twice NAT?

Thank you.

Pavel

Karsten Iwen · ‎06-01-2016

If I understand you correctly, there is a NAT device in front of ASA2 that NATs the public IP 2.2.3.4 to the internal ASA-IP 192.168.1.1?

Then there is no NAT to be configured on ASA2. You have to:

Configure the VPN on ASA1 with a peer address of 2.2.3.4
Configure the VPN on ASA2 with a peer address of 1.2.3.4
Make sure that the NAT-device allows UDP/500 and UDP/4500 to ASA2

Pavel Pokorny · ‎06-01-2016

Hi,

Thanks for responding.

No, there is no device in front of ASA2 making NAT (this would be also solution). There is just pure routing (point to point link between ASA2 and ISP is 192.168.1.0/28 - ie).

So, by routing on ASA2 I got packet with source 1.2.3.4 and destination 2.2.3.4, but ASA2 doesn't know what to do with packet destined to address 2.2.3.4.

I know, that this is not problem when mapped and real address are on diferent interfaces.

Does it make sense?

Thank you,

Pavel

Karsten Iwen · ‎06-01-2016

In that case the ISP is doing the NAT for you and forwards all traffic for 2.2.3.4 to your ASA.

Just configure it with the public IPs as mentioned above. The packets from ASA1 will arrive with a destination of 192.168.1.1 on you ASA2, but ASA1 "sees" ASA2 as 2.2.3.4.

Pavel Pokorny · ‎06-01-2016

As I said, ISP is not doing NAT.

I need to make NAT myself.