cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8043
Views
0
Helpful
36
Replies

Hide NAT

saroj pradhan
Level 1
Level 1

Hi,

 

can  some  one  guide  me to  configure  Hide  NAT on the Cisco ASA 5510 Firewall.  i am  using  the  ASA in my  network.The  users  at  inside  interface   traffic   need to  go  to  the  DMZ  interface  and  access the remote  three   servers  through  s2s vpn .The  VPN device   connected  between  the  Internet  Router and  ASA DMZ.

 

Please advice,

 

Saroj

36 Replies 36

Hi,

 

It seems that the "packet-tracer" you tried matched a "static" NAT configuration rather than the Dynamic Policy PAT you have configured (the configuration you mentioned above). The traffic from your source host is translated to this IP address

name 172.31.82.20 SXMUSAIP-TEST

 

You can see this from the "packet-tracer" output.

If you are going to use this NAT IP address for this connection then you will naturally have to confirm that there is a route on the VPN device for the IP 172.31.82.20 towards the ASA and also that this IP address is included in the L2L VPN configurations. The remote site naturally need to have configurations related to this IP address also.

 

Though I guess its just a test configuration as its only a NAT configurations for one destination host and not all the hosts/networks behind the L2L VPN. If you want the internal host to use the Dynamic Policy PAT configuration towards the VPN device then you would have to remove this "static" configuration you have for the host since its overriding the Dynamic Policy PAT

 

static (inside,DMZ-SXM) SXMUSAIP-TEST  access-list inside_nat_static 

 

That is unless you want to keep using this NAT configuration and NAT IP.

 

- Jouni

i have  configured the Route  at  the ASA to  the static Route.

route DMZ-SXM SXM_IPUSA 255.255.254.0 172.16.59.2 1
route DMZ-SXM USAIP10 255.255.255.255 172.16.59.2 1
route DMZ-SXM USAIP52 255.255.255.255 172.16.59.2 1
route DMZ-SXM USAIP34 255.255.255.255 172.16.59.2 1

Now  removed the   command 

static (inside,DMZ-SXM) SXMUSAIP-TEST  access-list inside_nat_static 

still its  not working.please find the trace.

Hi,

 

The "packet-tracer" now seems to match the Dynamic Policy PAT that you configured. The NAT IP address used in this configuration is part of the private network between the ASA and the VPN device and since you have the routes configured towards the VPN device the question now is is the L2L VPN connection is UP and if it contains configurations for the IP address

172.16.59.1

What I mean is that the Encryption Domain/Interesting traffic for the L2L VPN Connection needs to have the IP address 172.16.59.1 included as a source address on your side (and as a destination IP address at the remote site) and naturally if there is a firewall at the remote site they will have to allow the traffic sourced from this IP address.

 

At the moment it seems that the ASA configurations are fine and problem is probably in the L2L VPN connection or at the remote site.

 

- Jouni

The  ip address  172.16.59.1  is  the ip address confgured for NAT.

please find the config  of the L2L VPN Device  config.

 

Primary Router:

interface GigabitEthernet0/0

description PUBLIC OUTSIDE INTERFACE

ip address 122.168.191.234 255.255.255.248

ip access-group INTERNET-ACL in

ip access-group RFC2827-ACL out

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CONNECTION TO BHOPLA LAN SEGMENT

ip address 172.16.59.3 255.255.255.248

ip flow ingress

ip inspect SSR in

standby 5 ip 172.16.59.2

standby 5 priority 110

standby 5 preempt

standby 5 authentication md5 key-string 7 094A1E1B1B5413165802

standby 5 track 1 decrement 15

duplex auto

speed auto

 

Secondary Router:

interface GigabitEthernet0/0

description PUBLIC OUTSIDE INTERFACE

ip address 122.168.191.235 255.255.255.248

ip access-group INTERNET-ACL in

ip access-group RFC2827-ACL out

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CONNECTION TO BHOPAL LAN SEGMENT

ip address 172.16.59.4 255.255.255.248

ip flow ingress

ip inspect SSR in

standby 5 ip 172.16.59.2

standby 5 preempt

standby 5 authentication md5 key-string 7 03020B19045E25481D07

standby 5 track 1 decrement 10

duplex auto

speed auto

 

ip route 0.0.0.0 0.0.0.0 122.168.191.233 name TO_INTERNET_ISP

ip route 172.31.82.0 255.255.254.0 172.16.59.5 name TO_BOPHAL_DESKTOPS

 

ip route 0.0.0.0 0.0.0.0 122.168.191.233 name TO_INTERNET_ISP

ip route 172.31.82.0 255.255.254.0 172.16.59.5 name TO_BOPHAL_DESKTOPS

 

Regards,

Saroj

Hi,

 

According to the picture you provided earlier it seems to me that this router pair does not have any kind of VPN configured. It has no Crypto Map configurations on the external interfaces.

 

The picture seems to suggest that there is a third router in front of these 2 routers and the ASA and that router probably has the L2L VPN connection configured to the remote site?

 

- Jouni

Sir,

 

These  two  router's (are  from my  Client  SXM ,USA)  public  interface  connected  to  my  Internet Router.  i dont  have  the Access   so  no  Idea.

But  the Clent  said  the VPN  is  UP  and  he has provided  the part of the config i think. its a s2s  vpn  device .

 

Regards,

Saroj

 

Hi,

 

Well the configurations related to the VPN device (L2L VPN configurations and routing for example) need to be confirmed as there seems to be no problems on the ASA side anymore.

 

The L2L VPN might very well be UP if there are multiple networks/hosts on each site using the L2L VPN connection. But you said that this connection is not working so it might be lacking configurations related to the IP address 172.16.59.1 that you are now using for the NAT. For example the VPN router might be missing a route for the IP address 172.16.59.1 or it simply might now have it configured in the L2L VPN configurations on this site and/or the remote site.

 

- Jouni

 

 

Review Cisco Networking for a $25 gift card