Re: NAT traffic in VPN Tunnels

NeWGuy1109 · ‎01-22-2020

I have a scenario where traffic from Site A to Site B takes place via NAT... now the requirement is to put this NATted traffic in a VPN Tunnel created in Cisco ASA/Firepower. When i try to create site to site vpn tunnels it gives an option to exempt from NAT.. considering the traffic is already going to be Manually NAT , do i even need to select this option ? what will be the traffic flow in this case .. will it be translated through Manual NAT first and then hit the tunnels ? I assume i have to give NAT subnet at the source and destination site in this case.

Sheraz.Salim · ‎01-22-2020

in ASA there are three NAT section.

section 1

section 2

section 3

normally site to site vpn tunnel are come under section 1 and they are called identity nat or nat exemption. you have to define a nat exemption for your site-to-site vpn.

an example is

nat (in,out) source static LOCAL-LAN LOCAL-LAN destin static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup.

this above command will not going to nat your traffic but it will exempt it so you above rule will not match the nat traffic.

please do not forget to rate.

NeWGuy1109 · ‎01-22-2020

So in order to use Manual defined NAT .. i have to use NAT exempt while establishing VPN Tunnel ? also if i have a multi interface environment .. how do i nat exempt on all required interfaces .. ASDM Wizard allows 1 interface to be selected from dropdown

Sheraz.Salim · ‎01-22-2020

Yes correct. if you have a multiple interface environment in that case you have to distinguished where is your source network coming from which interface. for example you interested network is 192.168.1.20 so in asa you can do

show ip address | i 192.168.1

please do not forget to rate.

NeWGuy1109 · ‎01-22-2020

Source will come from different virtual interfaces in the inside zone ...so i need to define several interfaces in the exempt area.

Rob Ingram · ‎01-22-2020

Hi,
You don't have to use NAT exemption. When a VPN is established most people expect traffic from the original source IP address (real/private IP), without the NAT exemption rule in place the traffic would normally be natted behind the outbound interface, as defined in the dynamic nat rule typically used for all internet access.

If you are currently natting traffic between Site A and Site B and you still want to NAT, then you need to ensure the NAT IP address is defined as the source in your crypto ACL - reverse that configuration on the peer.

Most organisations NAT when establishing a VPN to a 3rd party. If you control both ends of the VPN, I'd normally recommend a NAT exemption rule.

HTH

NeWGuy1109 · ‎01-22-2020

Hello,
I can control both ends of the VPN ...and currently they are communicating via NAT ... we want to put that traffic in a tunnel .. if i understand you correctly i can use NAT Exempt here as the traffic will already be NATted. My issue is how to define various internal subinterfaces to be exempted from NAT while configuring site to site tunnel.

Rob Ingram · ‎01-22-2020

The ASA will only nat the traffic once, so if the ASA is currently doing the natting then you probably don't need to define any other nat rules - that's assuming the outbound traffic over the tunnel still hits the same nat rule and the source/destination interfaces haven't changes.

Do you want the sub-interfaces to communicate over the VPN but not natted? If you don't want the sub-interfaces to communicate over the VPN then don't define them in the crypto ACL.

NeWGuy1109 · ‎01-22-2020

the subinterfaces will communicate but via already defined NAT ...as an example Site A has NAT subnet of 1.1.1.0/24 and Site B has 2.2.2.0/24
Now Site A internal subnets - 192.168.1.0/24
Site B Internal Subnets - 192.168.2.0/24 (subinterface) , 192.168.3.0/24 (subinterface)....
..So any IP at Site A uses NAT IP 1.1.1.50 to communicate to IPs at Site B (say 2.2.2.1 for server in one subinterface and 2.2.2.2 for server in another interface)

So i guess tunnel will be established between 1.1.1.0/24 and 2.2.2.0/24 with NAT Exempt at both Site A and Site B .. but i am not sure i will be able to NAT exempt on all the usable subinterfaces while making the tunnel

Rob Ingram · ‎01-22-2020

It seems like you are overcomplicating things. Why not just NAT exempt all the traffic between your sites?

Example of NAT exemption.

SITEA CONFIG
object network SITEA
 subnet 192.168.1.0 255.255.255.0
object network SITEB-2
 subnet 192.168.2.0 255.255.255.0
object network SITEB-3
 subnet 192.168.3.0 255.255.255.0
object-group network SITEB
 network-object object SITEB-2
 network-object object SITEB-3

nat (any,OUTSIDE) source static SITEA SITEA destination static SITEB SITEB

Just swap the NAT source and destinations for SITEB configuration.

If you don't want NAT exempt all traffic, just amend the object groups above, define traffic you don't want to be translated from the private IP address to 1.1.1.x on SITEA or 2.2.2.x on SITEB and apply the necessary nat rule. The traffic that isn't defined in the NAT exemption rule would match your existing NAT rule and translated from 192.168.x.x to 1.1.1.x

Sheraz.Salim · ‎01-22-2020

According to cisco best practice doing any is not recommended.

nat (any,outside) better to define a zone

nat (inside,outside)

please do not forget to rate.