Solved: NAT/PAT config over IPSec VPN connection

nickhesson · ‎10-30-2012

Hello all,

Sorry i'm sure there are other threads on this question. But I can't seem to get anything to work. This is what we are trying to get done:

Site A needs to access the Host in Site B. Of course the Host has a Default Router that has a route to 10.1.1.X. Is there a way to PAT the source traffic of 10.1.1.X to the IP address of the inside interface of ASA2 or to another 192.168.12.X/26 address. Anything we have tried, the traffic always lands on the main NAT exemption rule for the tunnel:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup

Can someone point me in the right direction? Again sorry if theres a common thread on this, that I can't seem to find.

Thanks for your time and help,

Nick

Jennifer Halim · ‎11-02-2012

Change the NAT rule to "unidirectional" as follows:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional

Then "clear xlate", and leave the object NAT as the above.

View solution in original post

Jennifer Halim · ‎10-30-2012

Leave the NAT rule, and you would also need to configure dynamic NAT:

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (outside,inside) dynamic interface

Then "clear xlate" after the above configuration.

nickhesson · ‎11-02-2012

Wow, Thanks for the quick reply! Unfortunately this didn't work for me. I added a similar NAT rule before posting. It wasn't an Object NAT, but something very close. Maybe the Object does have something to do with this.

If I add the Object NAT, run Clear xlates. New translations will still use the above NAT statement.

So I made that rule inactive, and connections from Site A to Host work. But now connections from Site B don't get the NAT exemption going back to Site A.

So currently we have this on (ASA2):

object network Obj_10.1.1.X

subnet 10.1.1.0 255.255.255.0

object network Obj_192.168.12.X

subnet 192.168.12.0 255.255.255.192

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup inactive

object network obj-10.1.1.0

subnet 10.1.1.0 255.255.255.0

nat (outside,inside) dynamic interface

HOBUFWSS01# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X inactive

translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (outside) to (inside) source dynamic obj-10.1.1.0 interface

translate_hits = 141, untranslate_hits = 22

Note we do have two different objects obj-10.1.1.0 and Obj_10.1.1.X.

What am i doing wrong? Got closer. Also, the clients in Site B that need access to Site A point directly to ASA2 as their default router.

Thanks,

Nick

Jennifer Halim · ‎11-02-2012

Change the NAT rule to "unidirectional" as follows:

nat (inside,outside) source static Obj_192.168.12.X Obj_192.168.12.X destination static Obj_10.1.1.X Obj_10.1.1.X no-proxy-arp route-lookup unidirectional

Then "clear xlate", and leave the object NAT as the above.