Re: complicated nat

network770 · ‎03-18-2011

Hi there,

we have the following setup:

ASA--VPN--> vendor

The vendor is only allowing access from 192.168.10.10 so we are nating our internal network to 192.168.10.10 and that is how we access the vendor's network over the ipsec vpn tunnel (ie. the source address on the cryptomaps is 192.168.10.10). In addition to accessing the vendor from the internal network we also want to give remote users access to vendors as such:

remote user on the Intenret ---accessing our ASA's public address on a given port ---> translate it to the vendor's network but it has to go out as 192.168.10.10

so let's say:

our firewall's public ip address is : 1.1.1.1 (port to forward to vendor is 3333 for example)

vendor's network to access over vpn : 2.2.2.2 (part of the interesting traffic)

the vendor is seeing us as 192.168.10.10 (so our internal network which is 192.168.55.0\24 is translated to 192.168.10.10 when going to 2.2.2.2)

and our internal network is : 192.168.55.0\24

how would the nats and globals look like?

Jennifer Halim · ‎03-18-2011

You would need to configure 3 things for this to work:

1) Allow traffic in and out the same interface because both VPN is terminated on the ASA outside interface:

same-security-traffic permit intra-interface

2) If you have split tunnel configured on your remote access VPN client, then allow the partner's subnet (from your example: 2.2.2.2).

3) I assume that you currently have the following NAT/Global:

access-list permit ip 192.168.55.0 255.255.255.0 host 2.2.2.2

nat (inside) 1 access-list

global (outside) 1 192.168.10.10

So for the remote access, you will need the following:

access-list remote-nat-acl permit ip host 2.2.2.2

nat (outside) 1 access-list remote-nat-acl

Hope that helps.

network770 · ‎03-18-2011

The remote users are coming from the public Internet they will not be VPN'd in, the idea is that they will be accessing the firewalls public address of this given port across the Internet and then get forward over the VPN with the nat'd address as described in my question.

I understand your answer applies only if the users are remote access vpn clients.

How does that change things?

Jennifer Halim · ‎03-18-2011

Hmm, this won't be easy without VPN and not even sure if it's even supported.

What version of ASA do you have?

and also this application that you need to access at the partner's end, is it just a website? can you please advise what port it's listening to?

network770 · ‎03-18-2011

version on the asa is 8.2, but i will upgrade if this will work on 8.3... does it?

the vendor's application is a website

our firewall can listen on any port and forward the traffic to the vendor's website.

are you saying this is not possible?

Jennifer Halim · ‎03-18-2011

Possibly possible, but are you able to test it?

For version 8.2:

static (outside,outside) tcp interface 8333 2.2.2.2 80 netmask 255.255.255.255

nat (outside) 1 0 0

Assuming that you have "global (outside) 1 192.168.10.10", just have to make sure that the nat and global sequence number is the same.

Let me know if that works.

network770 · ‎03-18-2011

That is what I had in mind as well, thanks for your feedback Jennifer, I will test this and let you know.