Hide NAT - Page 3

saroj pradhan · ‎07-10-2014

Hi,

can some one guide me to configure Hide NAT on the Cisco ASA 5510 Firewall. i am using the ASA in my network.The users at inside interface traffic need to go to the DMZ interface and access the remote three servers through s2s vpn .The VPN device connected between the Internet Router and ASA DMZ.

Please advice,

Saroj

Jouni Forss · ‎07-17-2014

Hi,

It seems that the "packet-tracer" you tried matched a "static" NAT configuration rather than the Dynamic Policy PAT you have configured (the configuration you mentioned above). The traffic from your source host is translated to this IP address

name 172.31.82.20 SXMUSAIP-TEST

You can see this from the "packet-tracer" output.

If you are going to use this NAT IP address for this connection then you will naturally have to confirm that there is a route on the VPN device for the IP 172.31.82.20 towards the ASA and also that this IP address is included in the L2L VPN configurations. The remote site naturally need to have configurations related to this IP address also.

Though I guess its just a test configuration as its only a NAT configurations for one destination host and not all the hosts/networks behind the L2L VPN. If you want the internal host to use the Dynamic Policy PAT configuration towards the VPN device then you would have to remove this "static" configuration you have for the host since its overriding the Dynamic Policy PAT

static (inside,DMZ-SXM) SXMUSAIP-TEST  access-list inside_nat_static

That is unless you want to keep using this NAT configuration and NAT IP.

- Jouni

saroj pradhan · ‎07-17-2014

i have configured the Route at the ASA to the static Route.

route DMZ-SXM SXM_IPUSA 255.255.254.0 172.16.59.2 1
route DMZ-SXM USAIP10 255.255.255.255 172.16.59.2 1
route DMZ-SXM USAIP52 255.255.255.255 172.16.59.2 1
route DMZ-SXM USAIP34 255.255.255.255 172.16.59.2 1

Now removed the command

static (inside,DMZ-SXM) SXMUSAIP-TEST  access-list inside_nat_static

still its not working.please find the trace.

Jouni Forss · ‎07-17-2014

Hi,

The "packet-tracer" now seems to match the Dynamic Policy PAT that you configured. The NAT IP address used in this configuration is part of the private network between the ASA and the VPN device and since you have the routes configured towards the VPN device the question now is is the L2L VPN connection is UP and if it contains configurations for the IP address

172.16.59.1

What I mean is that the Encryption Domain/Interesting traffic for the L2L VPN Connection needs to have the IP address 172.16.59.1 included as a source address on your side (and as a destination IP address at the remote site) and naturally if there is a firewall at the remote site they will have to allow the traffic sourced from this IP address.

At the moment it seems that the ASA configurations are fine and problem is probably in the L2L VPN connection or at the remote site.

- Jouni

saroj pradhan · ‎07-17-2014

The ip address 172.16.59.1 is the ip address confgured for NAT.

please find the config of the L2L VPN Device config.

Primary Router:

interface GigabitEthernet0/0

description PUBLIC OUTSIDE INTERFACE

ip address 122.168.191.234 255.255.255.248

ip access-group INTERNET-ACL in

ip access-group RFC2827-ACL out

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CONNECTION TO BHOPLA LAN SEGMENT

ip address 172.16.59.3 255.255.255.248

ip flow ingress

ip inspect SSR in

standby 5 ip 172.16.59.2

standby 5 priority 110

standby 5 preempt

standby 5 authentication md5 key-string 7 094A1E1B1B5413165802

standby 5 track 1 decrement 15

duplex auto

speed auto

Secondary Router:

interface GigabitEthernet0/0

description PUBLIC OUTSIDE INTERFACE

ip address 122.168.191.235 255.255.255.248

ip access-group INTERNET-ACL in

ip access-group RFC2827-ACL out

duplex auto

speed auto

!

interface GigabitEthernet0/1

description CONNECTION TO BHOPAL LAN SEGMENT

ip address 172.16.59.4 255.255.255.248

ip flow ingress

ip inspect SSR in

standby 5 ip 172.16.59.2

standby 5 preempt

standby 5 authentication md5 key-string 7 03020B19045E25481D07

standby 5 track 1 decrement 10

duplex auto

speed auto

ip route 0.0.0.0 0.0.0.0 122.168.191.233 name TO_INTERNET_ISP

ip route 172.31.82.0 255.255.254.0 172.16.59.5 name TO_BOPHAL_DESKTOPS

ip route 0.0.0.0 0.0.0.0 122.168.191.233 name TO_INTERNET_ISP

ip route 172.31.82.0 255.255.254.0 172.16.59.5 name TO_BOPHAL_DESKTOPS

Regards,

Saroj

Jouni Forss · ‎07-17-2014

Hi,

According to the picture you provided earlier it seems to me that this router pair does not have any kind of VPN configured. It has no Crypto Map configurations on the external interfaces.

The picture seems to suggest that there is a third router in front of these 2 routers and the ASA and that router probably has the L2L VPN connection configured to the remote site?

- Jouni

saroj pradhan · ‎07-17-2014

Sir,

These two router's (are from my Client SXM ,USA) public interface connected to my Internet Router. i dont have the Access so no Idea.

But the Clent said the VPN is UP and he has provided the part of the config i think. its a s2s vpn device .

Regards,

Saroj

Jouni Forss · ‎07-17-2014

Hi,

Well the configurations related to the VPN device (L2L VPN configurations and routing for example) need to be confirmed as there seems to be no problems on the ASA side anymore.

The L2L VPN might very well be UP if there are multiple networks/hosts on each site using the L2L VPN connection. But you said that this connection is not working so it might be lacking configurations related to the IP address 172.16.59.1 that you are now using for the NAT. For example the VPN router might be missing a route for the IP address 172.16.59.1 or it simply might now have it configured in the L2L VPN configurations on this site and/or the remote site.

- Jouni