Solved: DOUBLE NAT 8.3+

Joshua Maurer · ‎06-26-2014

I want to NAT my L2L VPN tunnel IP address to an IP address scheme that I know will not conflict with my network.

nat (INSIDE,OUTSIDE) source static INSIDE-REAL-NET INSIDE-REAL-NAT destination static VENDOR-MYNAT-SUB VENDOR-REAL-SUB

This allows me to map the inside with the inside nat. How do I map the vendor my nat with the vendor real?

Marius Gunnerud · ‎06-27-2014

Static NAT is bidirectional so I am not sure why you would want to do outside NAT for vendor incoming traffic.

If you are doing this to avoid having to have the vendor update their VPN configuration, this will not work.

So, does 172.18.18.97 (for example) overlap with an IP on your network?

But basically you would need to configure a NAT statement per server. And you would need to define an IP address that the vendor will use to reach your network...

If you configure the following, for example:

object network LAN_real_IP
host 10.10.3.200

object network LAN_mapped_IP
host 172.29.20.17

object network remote_real_IP
host 172.18.18.97

object network remote_mapped_IP
host 172.29.10.17

nat (inside,outside) source static LAN_real_IP LAN_mapped_IP destination static remote_mapped_IP remote_real_IP

In this configuration you would need to send traffic to the IP of 172.29.10.17. You source IP will be translated to 172.29.20.17 and your destination IP will be translated to 172.29.10.17. This will also be true for the return traffic.

If the vendor will be initiating traffic they would need to send to the IP of 172.29.20.17. Not to mention they would need to have that IP configured in their VPN configuration so that it will be encrypted.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-30-2014

What you are saying is that if I have 3 of my servers that need to talk to all 3 of their servers I would have to static NAT 9 lines of NATs for that to work?

Though I have never tried anything like this before, I think it is possible to do with one NAT statement per server. Ofcourse you will also need to configure the object groups for each local server and remote server (both real and NAT IPs) if you haven't done so already.

As I mentioned earlier, static NAT is bidirectional If I understand correctly you do not want to NAT the destination IP. So if we look at the example I used earlier and change it a little so it is the following:

object network LAN_real_IP
host 10.10.3.200

object network LAN_mapped_IP
host 172.29.20.17

object network remote_real_IP
host 172.18.18.97

nat (inside,outside) source static LAN_real_IP LAN_mapped_IP destination static remote_real_IP remote_real_IP

This here will NAT the LAN IP to 172.29.20.17 while the destination IP will remain the same. This will also NAT any traffic from your vendor that is going to the IP of 172.29.20.17 back to the LAN IP.

Hope that explanation is clear.

So, you would require 1 NAT statement per server, but you will also need to create the necessary object groups for both real and NAT IPs for all servers that you are creating these NAT statements for.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-27-2014

Not exactly sure what you are asking here.

the nat statement you posted will translate the source of INSIDE-REAL-NET to INSIDE-REAL-NAT. It will also translate the destination IP of VENDOR-REAL-SUB to VENDOR-MYNAT-SUB.

But your question: How do I map the vendor my nat with the vendor real?

I am not sure what you mean here. You are already do that in your NAT statement...if you are looking for a different answer please explain the question in more detail.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Joshua Maurer · ‎06-27-2014

example

my network is 10.10.0.0/16

VPN subnet for inside: 172.29.20.0/24

VPN subnet for inside is what I will give the vendor. My server network address is 10.10.3.0/24. Reason for giving this nat address is so that when I switch my network IP address scheme in the next few months I dont have to contact each vender to have them change what address they are pointing to. I can make a quick change in firewall.

Vendor address I am natting to: 172.29.10.0/24

I am natting the Vendor address so that I have a network that does not conflict with my inside address. I have different 172.0.0.0/8 network and a few 10.0.0.0/8 as well in us.

Vendor Real IP: 172.18.18.96/29

example:

I am using a block 172.29.20.16/29 for my inside.

I have 3 servers 3 VPN subnet for inside

10.10.3.200 172.29.20.17

10.10.3.201 172.29.20.18

10.10.3.202 172.29.20.19

They vendor is using 172.18.18.96/29 for their address scheme

Vendor Real Vendor address I am natting to 172.29.10.16/29

172.18.18.97 172.29.10.17

172.18.18.98 172.29.10.18

172.18.18.99 172.29.10.19

object network vendor-nat-to
subnet 172.29.10.16 255.255.255.248

object network vendor-real
subnet 172.18.18.97 255.255.255.248

I set up a nat for inside to out

nat (inside,outside) source static 10.10.3.200 172.29.20.17 destination static vendor-nat-to vendor-real

I would do that for each of the addresses. Now if that is true for NAT to vendor could I do it like this?

object network HQ-nat-to
subnet 172.29.20.16 255.255.255.248

object network HQ-real
host 10.10.3.200
host 10.10.3.201
host 10.10.3.202

nat (outside,inside) source static 172.18.18.97 172.18.18.97 destination static HQ-nat-to HQ-real

or is there an easier way to do this?

Marius Gunnerud · ‎06-27-2014

Static NAT is bidirectional so I am not sure why you would want to do outside NAT for vendor incoming traffic.

If you are doing this to avoid having to have the vendor update their VPN configuration, this will not work.

So, does 172.18.18.97 (for example) overlap with an IP on your network?

But basically you would need to configure a NAT statement per server. And you would need to define an IP address that the vendor will use to reach your network...

If you configure the following, for example:

object network LAN_real_IP
host 10.10.3.200

object network LAN_mapped_IP
host 172.29.20.17

object network remote_real_IP
host 172.18.18.97

object network remote_mapped_IP
host 172.29.10.17

nat (inside,outside) source static LAN_real_IP LAN_mapped_IP destination static remote_mapped_IP remote_real_IP

In this configuration you would need to send traffic to the IP of 172.29.10.17. You source IP will be translated to 172.29.20.17 and your destination IP will be translated to 172.29.10.17. This will also be true for the return traffic.

If the vendor will be initiating traffic they would need to send to the IP of 172.29.20.17. Not to mention they would need to have that IP configured in their VPN configuration so that it will be encrypted.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Joshua Maurer · ‎06-29-2014

I want to NAT the outside incoming traffic so that I have a network I can manage for VPN tunnel access. Yes 172.18.18.0/24 overlaps. The vendor had 3 different networks, 10.168.16.0/24 and 10.34.64.0/24 that all over laps my current network. My company has another network that it tied to ours that is using some of the networks. So I thought that NATting the outside venders traffic to a subnet that I know is not being used would help with this issue. And in the process of doing this I need to beable to NAT the remote network so that we can hit the correct networks.

I am NATing the inside to another network address because we are moving to a different network address scheme to begin to better manage our network. I was thinking that it I give the vendor the NAT address I have the inside mapped to that I could change the address in the firewall and the vendor does not see the change on their end.

What you are saying is that if I have 3 of my servers that need to talk to all 3 of their servers I would have to static NAT 9 lines of NATs for that to work?

Marius Gunnerud · ‎06-30-2014

What you are saying is that if I have 3 of my servers that need to talk to all 3 of their servers I would have to static NAT 9 lines of NATs for that to work?

Though I have never tried anything like this before, I think it is possible to do with one NAT statement per server. Ofcourse you will also need to configure the object groups for each local server and remote server (both real and NAT IPs) if you haven't done so already.

As I mentioned earlier, static NAT is bidirectional If I understand correctly you do not want to NAT the destination IP. So if we look at the example I used earlier and change it a little so it is the following:

object network LAN_real_IP
host 10.10.3.200

object network LAN_mapped_IP
host 172.29.20.17

object network remote_real_IP
host 172.18.18.97

nat (inside,outside) source static LAN_real_IP LAN_mapped_IP destination static remote_real_IP remote_real_IP

This here will NAT the LAN IP to 172.29.20.17 while the destination IP will remain the same. This will also NAT any traffic from your vendor that is going to the IP of 172.29.20.17 back to the LAN IP.

Hope that explanation is clear.

So, you would require 1 NAT statement per server, but you will also need to create the necessary object groups for both real and NAT IPs for all servers that you are creating these NAT statements for.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎07-01-2014

Thank you for the rating ☺

--
Please remember to select a correct answer and rate helpful posts