Solved: Thanks, Karsten!Glad to get

erik.winberg · ‎10-16-2014

I'm working on network with around a dozen (and growing) remote sites that are all connected to a central site via L2L VPN using ASAs. The remote sites send all traffic (internal and external) through their VPN connection to the central site and Internet access for all the sites is via the central site. Remote users also connect to the network via RA VPN at the central site. So in addition to traffic to/from the inside network at the central site, there's also traffic to a DMZ at the central site and hair-pinning of traffic between remote sites (and between RA VPN connections to remote sites).

Instead of managing a slew of identity NAT statements on different interfaces (inside, dmz, outside, etc.), I was wondering what the pros and cons are of just creating a "global" NAT rule along these lines:

object-group network PrivateSubnets subnet 10.0.0.0 255.0.0.0 subnet 172.16.0.0 255.240.0.0 subnet 192.168.0.0 255.255.0.0

nat (any,any) source static PrivateSubnets PrivateSubnets destination static PrivateSubnets PrivateSubnets route-lookup

Would that work? Is there a reason (security or otherwise) NOT to do that?

Also, any issue with doing dynamic nat as follows:

object network obj-Any subnet 0.0.0.0 0.0.0.0 nat (any,outside) dynamic interface

That should cover all traffic, regardless of the interface, including Internet access via the RA and remote-site VPN's, right?

Karsten Iwen · ‎10-16-2014

I always configure my NAT in a similar way:

object-group network RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup

My dynamic NAT is the following:

object network PAT-OUTSIDE host 192.0.2.10

nat (any,outside) after-auto source dynamic any PAT-OUTSIDE

That works like a charm!

View solution in original post

Karsten Iwen · ‎10-16-2014

I always configure my NAT in a similar way:

object-group network RFC1918 network-object 10.0.0.0 255.0.0.0 network-object 172.16.0.0 255.240.0.0 network-object 192.168.0.0 255.255.0.0

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup

My dynamic NAT is the following:

object network PAT-OUTSIDE host 192.0.2.10

nat (any,outside) after-auto source dynamic any PAT-OUTSIDE

That works like a charm!

erik.winberg · ‎10-17-2014

Thanks, Karsten!

Glad to get your feedback and that I was on the right track.

Quick question on your dynamic NAT config: Is that host address (192.0.2.10) different than the interface IP address? If I wanted to use the interface IP, could I just make that NAT statement:

nat (any,outside) after-auto source dynamic any interface

And just to clarify, since you didn't specify a "destination" on that NAT statement, does the ASA just assume the destination is any/any?

Thanks again for your input!

Karsten Iwen · ‎10-17-2014

The 192.0.2.10 in my example is an address out of the provider-pool, but not the ASA IP. If possible, I always configure a different address for PAT. You could also use the keyword "interface" to use the ip of the ASA for PAT.

There is no destination in this statement, because it's not a policy-NAT. And yes, without the destination, "any" is used by the ASA.

Identity NAT for all private subnets?