10-26-2009 04:25 AM - edited 03-11-2019 09:31 AM
Hello,
I have a question regarding dynamic policy NAT and IPSEC Site2Site connections.
Kinda hard to explain, but I will do my best.
The current setup is
- two sites, site A (ASA 5520) and site B (ASA5505). Botw with FW 8.2
- Both sites are connected via IPSec S2S tunnel
- At site A I have a customer router connected, with a transfer network of 192.168.1.0/29
- Our customer requieres us to SNAT every connection that goes to the customer network 172.16.0.0/20
- The SNAT IP has to be from the transfer network 192.168.1.0/29
At site A it works quite simple.
I have a dynamic policy NAT defined that every source IP from site A ( 10.10.0.0/10 )
that has 172.16.0.0/20 as destination will be translated to 192.168.1.1
The problem is site B ( 10.20.0.0/16 ).
In this case I have a dyn. policy NAT at the ASA5505 at site B.
Every source IP from site B ( 10.20.0.0/10 ) that has 172.16.0.0/20 as destination will be translated to 192.168.1.2.
This IP is included in the S2S tunnel to site A and should be normaly forwared.
When I try to access the customer network at site A, it works pretty fine. When I try this at site B I don't get any connection.
At site B I don't see any errors. ACLs, NAT, the IPSec tunnel, everything seems to be fine. The source IP gets natted, enters the tunnel and is sent to site A.
At site A I also don't see any errors at all.
All I see is something like this on the ASA site A:
6 Oct 26 2009 12:18:04 302013 192.168.2.1 14304 10.188.45.68 8001 Built inbound TCP connection 182622841 for outside:192.168.2.1/14304 (192.168.2.1/14304) to int_trans_network:172.16.1.1/8001 (172.16.1.1/8001)
Strange thing is that I don't see any packets leaving the interface on the ASA. Is there any FW bug?!
Any comments and recommendations are welcome!!
Regards
Tom
10-28-2009 11:11 AM
First of all, I think it might be easier if you do the NAT on the customer router, if possible.
If that's not an option, you could do the NAT for site B also on the ASA on site A.
If you want to stick with your current solution, do you really need policy nat? I suppose you could just use global PAT. Anyway to troubleshoot: I see you NAT to 192.168.2.x on ASA B, but you said the customer requires 192.168.1.x, could that be it?
If not, check the "packet-tracer" command to verify what happens to a packet coming from B.
One other thing: you'll need a static route for the return traffic to site B.
10-29-2009 02:32 AM
Unfortunately it is not possible for me to do the NAT on the customer router. They have certain policies that force me to do it on my devices.
The IPs are correct. Must have been a typo since I had to replace all the original addresses due to our NDA.
How can I implement a static NAT or policy NAT at the ASA on site A?
When a user from site B wants to access the customer network, the request is included in the vpn tunnel and send to the ASA at site A. And now I don't know where I can implement the NAT rule.
Then I could also use PAT.
Just don't know the "right" place for this NAT rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide