Global / Static NAT and Identity-NAT on same interface????

fsebera · ‎05-23-2011

Our ASA5520 firewall is running in single context router mode, IOS 804-7.

:

We currently have a L2L VPN via CELLNET to/from interface ACC, peer is 172.31.99.50.

Security-levels 50 to 60

To avoid NAT we use nat (ACC) 0 access-list ACC_nat0_out to filter specific address not to NAT.

As-well-as Identity-NAT to avoid NATTING this traffic CELLNET-ACC traffic.

:

We want to enable a second L2L VPN via CELLNET to/from DCVNET.
Security-levels 50 to 41
Global static NAT is already enabled on this interface (DCVNET) and now we want to use Identity-Nat here also.

:

We are hoping to get some advice / guidance on using global/static NAT along with Identity-NAT on the same interface.

Thanks for any and all assistance.

:

Frank

:

--Hopefully this is enough of the config to answer all questions pertaining to our question; if not please let me know.

!

interface Redundant1.15

vlan 15

nameif ACC

security-level 60

ip address 192.168.2.1 255.255.255.240

!

interface Redundant1.31

vlan 31

nameif CELLNET

security-level 50

ip address 192.168.1.12 255.255.255.240

!

interface Redundant1.41

vlan 41

nameif DCVNET

security-level 41

ip address 10.0.7.129 255.255.255.128

!

boot system disk0:/asa804-7-k8.bin

!

global (outside) 1 interface

global (ENG) 1 interface

global (DCVNET) 1 interface

nat (management) 0 access-list management_nat0_outbound

nat (management) 1 10.0.6.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0

nat (inside) 1 10.0.1.0 255.255.255.0

nat (ACC) 0 access-list ACC_nat0_out

static (inside,ENG) tcp 10.0.0.1 8807 10.0.0.201 6107 netmask 255.255.255.255

static (inside,CELLNET) ASA-VIP 10.0.0.200 netmask 255.255.255.255

static (inside,outside) ###.##.##.# 10.0.0.200 netmask 255.255.255.255

static (inside,CELLNET) 192.168.1.10 10.0.0.50 netmask 255.255.255.255

static (inside,CELLNET) 192.168.1.11 10.0.0.51 netmask 255.255.255.255

!

crypto ipsec transform-set CELL-TS esp-3des esp-sha-hmac

!

crypto map CELLNET_map 1 match address CELLNET-ACE

crypto map CELLNET_map 1 set pfs

crypto map CELLNET_map 1 set connection-type answer-only

crypto map CELLNET_map 1 set peer 172.31.99.50

crypto map CELLNET_map 1 set transform-set CELL-TS

crypto map CELLNET_map 1 set nat-t-disable

crypto map CELLNET_map interface CELLNET

!

crypto isakmp identity address

crypto isakmp enable CELLNET

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

!

no crypto isakmp nat-traversal

!

tunnel-group 172.31.99.50 type ipsec-l2l

tunnel-group 172.31.99.50 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold infinite

varrao · ‎05-23-2011

Hi,

Well I don,t see any issue why you can't add another identity nat on DVNET, the global doesn't utilize the while IP, it just takes the ports on that particular IP. That's y it is called Port Address Translation. Moreover could you please let me know what nat identity are you thinking to implement, may be i'll check the statement and let you know. If yuo have sucha situation, you can always use static port forwarding as well.

Thanks,

Varun

Thanks,
Varun Rao

fsebera · ‎05-24-2011

Hi Varun,

Thanks for trying to assist.

I am having trouble understanding your response; could you elaborate on your idea of static port forwarding????

Tks

Frank

Jennifer Halim · ‎05-23-2011

I assume that your VPN will still be terminated on CELLNET interface, and you would need access to DCVNET subnet.

Since the interface that terminates VPN has higher security level than the DCVNET interface (which is not a normal setup typically), then you would need to configure the following to exempt the traffic from being NATed:

access-list CELLNET_nat0_out permit ip

nat (CELLNET) 0 access-list CELLNET_nat0_out

The above NAT exemption takes precedence over any other NAT translation.

Hope that helps.

fsebera · ‎05-24-2011

Thanks Jennifer,

Your assumption is correct, we plan to enable a new L2L VPN on CELLNET interface and the remote uses on this new VPN will need acces to DCVNET network.

As I now understand, NAT on the ASA works much like routing, the most specific rule/route takes precedence.

I'll try to implement your suggestions ASAP.

I'll provide feedback as soon as I have something!!!!

Thanks again

Frank

fsebera · ‎05-26-2011

UPDATE!

:

We implemented the L2L VPN between the cell client device and the ASA5520 firewall (see config above).

Once the VPN tunnel was operational, no further configuration was required for traffic to flow.

:

Just to make it clear, we did NOT enable any additional types of NAT then was was already enabled, we only added the L2L VPN portion.

:

If I had to make a guess about what is happening with this setup, due to the security level [High-to-Low], traffic is free to flow without restrictions.

:

Perhaps we now have a gaping hole in the firewall but at least Management is HAPPY, and that is really all that matters - RIGHT!

Thanks again!