05-23-2011 06:30 PM - edited 03-11-2019 01:37 PM
Our ASA5520 firewall is running in single context router mode, IOS 804-7.
:
We currently have a L2L VPN via CELLNET to/from interface ACC, peer is 172.31.99.50.
Security-levels 50 to 60
To avoid NAT we use nat (ACC) 0 access-list ACC_nat0_out to filter specific address not to NAT.
As-well-as Identity-NAT to avoid NATTING this traffic CELLNET-ACC traffic.
:
:
We are hoping to get some advice / guidance on using global/static NAT along with Identity-NAT on the same interface.
Thanks for any and all assistance.
:
Frank
:
--Hopefully this is enough of the config to answer all questions pertaining to our question; if not please let me know.
!
interface Redundant1.15
vlan 15
nameif ACC
security-level 60
ip address 192.168.2.1 255.255.255.240
!
interface Redundant1.31
vlan 31
nameif CELLNET
security-level 50
ip address 192.168.1.12 255.255.255.240
!
interface Redundant1.41
vlan 41
nameif DCVNET
security-level 41
ip address 10.0.7.129 255.255.255.128
!
boot system disk0:/asa804-7-k8.bin
!
global (outside) 1 interface
global (ENG) 1 interface
global (DCVNET) 1 interface
nat (management) 0 access-list management_nat0_outbound
nat (management) 1 10.0.6.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 10.0.1.0 255.255.255.0
nat (ACC) 0 access-list ACC_nat0_out
static (inside,ENG) tcp 10.0.0.1 8807 10.0.0.201 6107 netmask 255.255.255.255
static (inside,CELLNET) ASA-VIP 10.0.0.200 netmask 255.255.255.255
static (inside,outside) ###.##.##.# 10.0.0.200 netmask 255.255.255.255
static (inside,CELLNET) 192.168.1.10 10.0.0.50 netmask 255.255.255.255
static (inside,CELLNET) 192.168.1.11 10.0.0.51 netmask 255.255.255.255
!
crypto ipsec transform-set CELL-TS esp-3des esp-sha-hmac
!
crypto map CELLNET_map 1 match address CELLNET-ACE
crypto map CELLNET_map 1 set pfs
crypto map CELLNET_map 1 set connection-type answer-only
crypto map CELLNET_map 1 set peer 172.31.99.50
crypto map CELLNET_map 1 set transform-set CELL-TS
crypto map CELLNET_map 1 set nat-t-disable
crypto map CELLNET_map interface CELLNET
!
crypto isakmp identity address
crypto isakmp enable CELLNET
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
!
no crypto isakmp nat-traversal
!
tunnel-group 172.31.99.50 type ipsec-l2l
tunnel-group 172.31.99.50 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
05-23-2011 07:22 PM
Hi,
Well I don,t see any issue why you can't add another identity nat on DVNET, the global doesn't utilize the while IP, it just takes the ports on that particular IP. That's y it is called Port Address Translation. Moreover could you please let me know what nat identity are you thinking to implement, may be i'll check the statement and let you know. If yuo have sucha situation, you can always use static port forwarding as well.
Thanks,
Varun
05-24-2011 05:57 AM
Hi Varun,
Thanks for trying to assist.
I am having trouble understanding your response; could you elaborate on your idea of static port forwarding????
Tks
Frank
05-23-2011 07:24 PM
I assume that your VPN will still be terminated on CELLNET interface, and you would need access to DCVNET subnet.
Since the interface that terminates VPN has higher security level than the DCVNET interface (which is not a normal setup typically), then you would need to configure the following to exempt the traffic from being NATed:
access-list CELLNET_nat0_out permit ip
nat (CELLNET) 0 access-list CELLNET_nat0_out
The above NAT exemption takes precedence over any other NAT translation.
Hope that helps.
05-24-2011 05:50 AM
Thanks Jennifer,
Your assumption is correct, we plan to enable a new L2L VPN on CELLNET interface and the remote uses on this new VPN will need acces to DCVNET network.
As I now understand, NAT on the ASA works much like routing, the most specific rule/route takes precedence.
I'll try to implement your suggestions ASAP.
I'll provide feedback as soon as I have something!!!!
Thanks again
Frank
05-26-2011 05:28 AM
UPDATE!
:
We implemented the L2L VPN between the cell client device and the ASA5520 firewall (see config above).
Once the VPN tunnel was operational, no further configuration was required for traffic to flow.
:
Just to make it clear, we did NOT enable any additional types of NAT then was was already enabled, we only added the L2L VPN portion.
:
If I had to make a guess about what is happening with this setup, due to the security level [High-to-Low], traffic is free to flow without restrictions.
:
Perhaps we now have a gaping hole in the firewall but at least Management is HAPPY, and that is really all that matters - RIGHT!
Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide