Solved: nat outside addr to inside at site reached via mpls - Page 2

john.wright · ‎04-03-2013

We are running asa ios 8.4 and would like to know if it possible to nat an outside addr at site A to an inside addr that is reached via mpls at site B?

Jouni Forss · ‎04-03-2013

Hi,

I still dont know the exact layout of your network.

The only route that the Site B needs is the route which tells where the PAT IP address is located. The PAT IP address that all the Internet users trough Site A are visible from.

So in your situation the route would be something like

ip route 2.2.2.2 255.255.255.255

And naturally the IP address 2.2.2.2 is just an example IP address. You can and probably should use something else.

Also I dont know how many hops there are between the 2 sites so you might need some configurations elsewhere also.

- Jouni

john.wright · ‎04-03-2013

Jouni

The routing issue is the thing that makes this not possible. We do not know what may be between A and B. And the routers are managed by a 3rd party.

We don't want to involve the vedor.

However you did answer the origimal question, that nat was possible over an mpls.

Thanks much 5 stars for such a great effor!

Jouni Forss · ‎04-03-2013

Again without knowing the setup, here is one option to consider.

Can you share the configuration on the Site A ASA for the interface that is connected to the Site B MPLS connection? I presume its a separate interface from the actual LAN interface of Site A?

I imagine that the link network between your Site A ASA MPLS interface and the router for the MPLS connection is automatically adverticed to the Site B? In other words the Site B server can probably ping the Site A ASA MPLS interface IP address?

If this is correct, then it might be possible to NAT all traffic from Internet of Site A to the MPLS interface IP address when they are connecting to Site B server. This way you wouldnt be adding any new IP address/network to the setup and no new routing would be needed.

But as I said this depends if the Site B server can currently reach the Site A ASA MPLS interface IP address. Does it show in the local routing table of the Site B router?

- Jouni

john.wright · ‎04-03-2013

Jouni

Site B knows how to get to site A. I have no idea what is between site A and site B.

This is th addr of the firewall at site Athat I am able to ping from a switch at site B.

GS-CORE#ping 10.51.21.252

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.51.21.252, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

Jouni Forss · ‎04-03-2013

Hi,

So if the Site B and its server can reach the ASA interface then I guess the following configuration might be possible

object network SERVER-LOCAL

host

object network SERVER-PUBLIC

host

nat (outside,mpls) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL

The only difference compared to the previous NAT configuration is that we DONT NAT the hosts on the Internet to a certain PAT address but rather use the "interface" parameter (marked in red) to define that the Internet users will be NATed to the "mpls" interface IP address.

And because Site B seems to be able to reach this IP address the routing should also be fine without any changes.

- Jouni

john.wright · ‎04-03-2013

Jouni

Thiis seems more reasonable. We are still waiting to get the actual IP addr of the server at the B site.

When we do get that IP addr we will try this.

Thanks much!

Jouni Forss · ‎04-05-2013

Ok,

Let us know how it went when you get the chance to try it out.

- Jouni