Karthik, the Routing is

saroj pradhan · ‎07-10-2014

Hi,

can some one guide me to configure Hide NAT on the Cisco ASA 5510 Firewall. i am using the ASA in my network.The users at inside interface traffic need to go to the DMZ interface and access the remote three servers through s2s vpn .The VPN device connected between the Internet Router and ASA DMZ.

Please advice,

Saroj

Leo Laohoo · ‎07-10-2014

Duplicate post.

Go here: https://supportforums.cisco.com/discussion/12252981/hide-nat

saroj pradhan · ‎07-10-2014

I need command to configure it either through ASDM or CLI.

Regards,

Saroj

Jouni Forss · ‎07-10-2014

Hi,

I think we need a bit more information to confirm what the actual situation is.

If I understood correctly you have a VPN device behind the DMZ interface of the ASA that has the L2L VPN connection behind which the resources you need are.

It also seems that you would be needing a NAT configuration that does a translation for "inside" -> "dmz" traffic ONLY when the traffic is destined to the remote network behind the L2L VPN connection?

In that case you would probably use a Dynamic Policy PAT type of configuration.

Can you confirm the above information? Naturally if you can provide some current configurations OR tell us the network/IP information related to the required NAT and how its supposed to work. Also an important information would be what software version your ASA is running as the NAT configuration format might be completely different depending on the software you are running (8.2 and below vs. 8.3 and above have totally different NAT configuration format)

- Jouni

saroj pradhan · ‎07-11-2014

please find the details.

i have one internet router. Behind it the ASA Firewall is connected then the L3 Switch.

the VPN Device is public interface is connected to Internet Router and private Interface is connected to the ASA Firewall DMZ. for connecting ASA and the vpn Router using /29 space of private ip address .the users of one VLAN Traffic need to access the remote servers through the

VPN device .for example users subnet is 172.16.58.0/24 need to access the server ip address 209.196.208.52 through the vpn device.

Also i am going the enclosed the viso of the network in pdf form for better understanding.

regards,

saroj

Jouni Forss · ‎07-11-2014

Hi,

Ok, that clarifies things a bit but I am still wondering what is the NAT IP address you want to use? What is the IP address with which the users connections should be visible to the remote server?

Also you did not mention the ASAs software level which we need to know for the correct NAT configuration format.

To give you example of both configuration formats then they could be the following

Software 8.2 and below

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

global (dmz) 200 interface

or

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

Software 8.3 and above

object network SMX-LAN
subnet 172.16.58.0 255.255.255.0

object network REMOTE-SERVER
host 209.196.208.52

nat (inside,dmz) source dynamic SMX-LAN interface destination static REMOTE-SERVER REMOTE-SERVER

The above configuration uses the "interface" parameter to define that the "dmz" interface IP address is used as the PAT address. (in the same way that the above older format configuration uses the "interface" parameter)

If you wanted to use a separate NAT IP address (other than the "dmz" interface IP address) then you would need one additional "object" configuration and a bit different "nat" configuration

object network SMX-LAN
subnet 172.16.58.0 255.255.255.0

object network REMOTE-SERVER
host 209.196.208.52

object network NAT-IP
host x.x.x.x

nat (inside,dmz) source dynamic SMX-LAN NAT-IP destination static REMOTE-SERVER REMOTE-SERVER

Keep in mind that in both of the cases (with both levels of software) the required configuration depends on how your firewall is currently configured. There might be other NAT configurations that affect these configurations and would therefore override their operation.

Hope this helps :)

- Jouni

saroj pradhan · ‎07-11-2014

please find the ASA Verson.

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

and the ip address details like

source ip address 172.16.58.0 /24 destination translated ip address 209.196.208.52 translated source 172.31.82.0/23 translated destination 172.31.82.0/23

need the command details for ASA version 8.2 support.

Regards,

Saroj

nkarthikeyan · ‎07-11-2014

so you want the inside LAN users to access the servers in SxM network through the DMZ interface of ASA to the VPN router to go out instead of going out through outside interface.

Your requirement: Inside LAN (inside)-ASA-(DMZ)---VPN Router---Internet Router----SXM Network

Please correct me if am wrong

Regards

Karthik

saroj pradhan · ‎07-11-2014

you are right sir. Their internet traffic will go through Outside interface which is working fine . But the users access of sxm network will go through DMZ.

Regards,

Saroj

nkarthikeyan · ‎07-11-2014

Hi Saroj,

Then i guess you should have the proper access-list and routing that needs to be done on the ASA....

you need to route the traffic that is destined via DMZ thru VPN and required NAT/No-NAT to allow the traffic via DMZ.....

I guess the public ip NATing will be done on your VPN server.

Regards

Karthik

saroj pradhan · ‎07-11-2014

Karthik,

the Routing is already done .Need the NAT Part to complete.

please advice.

Regards,

Saroj

nkarthikeyan · ‎07-11-2014

Hi Saroj,

As suggested by Jouni...

Software 8.2 and below

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

global (dmz) 200 interface

or

global (dmz) 200 <NAT ip address>

nat (inside) 200 access-list VPN-POLICYPAT

This will do for you... or else you can do the No-NAT if you do not want to do the double NAT

nat (inside) 0 access-list VPN-POLICYPAT

If you have the proper routing towards and upwards then you should be able to do with.

Make sure your ASA to VPN router and VPN router to ASA back you need to have a proper routing and your VPN configurations should be having required configurations to get this work.

Also NAT the traffic in VPN router.... for getting in to public network..... tunneled traffic.

Regards

Karthik

saroj pradhan · ‎07-11-2014

sir,

the inbound and outbound route is configured. i confuse with

global (dmz) 200 interface , as the DMZ is configured with Private IP Address.

please advice.

Regards,

Saroj

nkarthikeyan · ‎07-11-2014

Hi,

The below mentioned statement will exempt the NAT being done for the traffic that is destined to 209.196.208.52.

access-list VPN-POLICYPAT remark Policy NAT for L2L VPN
access-list VPN-POLICYPAT permit ip 172.16.58.0 255.255.255.0 host 209.196.208.52

nat (inside) 0 access-list VPN-POLICYPAT

route dmz <destination server ip> <mask> <gateway (vpn router)>

so the real ip as it is will go to VPN server... in your VPN server VPN policy should have the LAN subnet 172.16.58.0 allowed to go through VPN..... if you do some NATing for the VPN traffic then you need to include 172.16.58.0 also to the NAT statements for VPN traffic...

Regards

Karthik

nkarthikeyan · ‎07-11-2014

Your query is quite confusing.

1) You want to access the servers that are in DMZ zone from inside LAN?

2) Also you want to access some servers that are in remote site through site to site VPN?

3) what do you mean by VPN device connected between ASA DMZ and Internet?

Regards

Karthik