cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
0
Helpful
3
Replies

Identity NAT for all private subnets?

erik.winberg
Level 1
Level 1

I'm working on network with around a dozen (and growing) remote sites that are all connected to a central site via L2L VPN using ASAs. The remote sites send all traffic (internal and external) through their VPN connection to the central site and Internet access for all the sites is via the central site. Remote users also connect to the network via RA VPN at the central site. So in addition to traffic to/from the inside network at the central site, there's also traffic to a DMZ at the central site and hair-pinning of traffic between remote sites (and between RA VPN connections to remote sites).

Instead of managing a slew of identity NAT statements on different interfaces (inside, dmz, outside, etc.), I was wondering what the pros and cons are of just creating a "global" NAT rule along these lines:

object-group network PrivateSubnets
  subnet 10.0.0.0 255.0.0.0
  subnet 172.16.0.0 255.240.0.0
  subnet 192.168.0.0 255.255.0.0

nat (any,any) source static PrivateSubnets PrivateSubnets destination static PrivateSubnets PrivateSubnets route-lookup

Would that work? Is there a reason (security or otherwise) NOT to do that?

 

Also, any issue with doing dynamic nat as follows:

object network obj-Any
 subnet 0.0.0.0 0.0.0.0
 nat (any,outside) dynamic interface

That should cover all traffic, regardless of the interface, including Internet access via the RA and remote-site VPN's, right?

 

1 Accepted Solution

Accepted Solutions

I always configure my NAT in a similar way:

object-group network RFC1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup

My dynamic NAT is the following:

object network PAT-OUTSIDE
 host 192.0.2.10

nat (any,outside) after-auto source dynamic any PAT-OUTSIDE

 

That works like a charm!

View solution in original post

3 Replies 3

I always configure my NAT in a similar way:

object-group network RFC1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup

My dynamic NAT is the following:

object network PAT-OUTSIDE
 host 192.0.2.10

nat (any,outside) after-auto source dynamic any PAT-OUTSIDE

 

That works like a charm!

Thanks, Karsten!

Glad to get your feedback and that I was on the right track.

Quick question on your dynamic NAT config: Is that host address (192.0.2.10) different than the interface IP address? If I wanted to use the interface IP, could I just make that NAT statement:

nat (any,outside) after-auto source dynamic any interface

And just to clarify, since you didn't specify a "destination" on that NAT statement, does the ASA just assume the destination is any/any?

Thanks again for your input!

The 192.0.2.10 in my example is an address out of the provider-pool, but not the ASA IP. If possible, I always configure a different address for PAT. You could also use the keyword "interface" to use the ip of the ASA for PAT.

There is no destination in this statement, because it's not a policy-NAT. And yes, without the destination, "any" is used by the ASA.

Review Cisco Networking for a $25 gift card