NAT

bluesea2010 · ‎08-11-2021

Hi,

I want to do a static nat for 192.168.1.10 to 2.2.2.10 so that the traffic comes through the second ISP.

What need to be done on ASA side to achieve the above

load balancer is a third party appliance

Thanks

balaji.bandi · ‎08-11-2021

Personally as per the diagram - I do not believe you can do that. ( do ASA have same IP address configured or are aware 2.2.2.10 ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bluesea2010 · ‎08-12-2021

Hi,

there is reachability from ASA to the network 2.2.2.2

Thanks

balaji.bandi · ‎08-14-2021

Ok in that case you have routing in place, is the routed IP to ASA, then you can do static NAT since your diagram is not clear.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ilkin · ‎08-14-2021

Technically speaking a static NAT for 192.168.1.10 to 2.2.2.10 is possible on ASA itself and it can translate to non-directly-connected IP addresses.

The upstream device, in this case, the load balancer (LB) should have the correct routing to 2.2.2.10. On LB, the next-hop for 2.2.2.10 should point to the ASA. In general, routing should also be correctly configured.

bluesea2010 · ‎08-17-2021

Hi @Ilkin and @Marius Gunnerud

Thanks for the reply. If I do the proper routing can I do site to site VPN with a non-directly -connected ip address

Thanks

Marius Gunnerud · ‎08-16-2021

All this really depends what subnet the 2.2.2.x network has on the loadbalancer. If the 2.2.2.10 falls within the existing 2.2.2.x subnet on the loadbalancer then you would need to do NAT on the loadbalancer. But if the 2.2.2.10 IP can be routed to the ASA, i.e. not directly connected to the loadbalancer, then this can be done on the ASA.

--
Please remember to select a correct answer and rate helpful posts

bluesea2010 · ‎08-18-2021

Hi,

, If the 2.2.2.10 falls within the existing 2.2.2.x subnet on the loadbalancer then you would need to do NAT on the loadbalancer.

What if 2.2.2.10 is in the same subnet.

Can you explain the above.

2) If i2.2.2.10 is not directly connected to how can I peer wirh a remote site for site to site vpn

Thanks

Marius Gunnerud · ‎08-18-2021

1) If the 2.2.2.x subnet (which includes 2.2.2.10) is located on the outside interface of the loadbalancer then this would be seen as being directly connected and the loadbalancer would not forward the traffic to any other destination. Therefore you would need to NAT 2.2.2.10 to the IP of the ASA for there to be connectivity.

2) If 2.2.2.10 is not directly connected to the ASA you would need to NAT 2.2.2.10 to the IP of the ASA. Make sure that NAT-traversal is enabled on the ASA (it should be enabled by default).

--
Please remember to select a correct answer and rate helpful posts

bluesea2010 · ‎08-18-2021

Hi,

Regarding the site to site VPN,

1) I want to peer with ASA(2.2.2.11) and it is not directly connected, and there is no destination NAt for the device (I mean 2.2.2.11 is not NATed with any LAN Device) , is there a way to establish S2S VPN

2)2.2.2.11 Is NATed on Load Balancer To 1.1.1.1 (Which is the outside interface of the ASA), A remote site can peer with 2.2.2.11

Thanks a million

Marius Gunnerud · ‎08-18-2021

1) you need to provide more information with regards to where the 2.2.2.11 subnet is located. Is this subnet a part of the loadbalancer outside interface? If yes, then you must do NAT on the loadbalancer. If it is not part of the loadbalancer outside interface, then you need to configure routing on the loadbalancer so that it sends traffic for 2.2.2.11 to the ASA. Regardless, you will be able to setup a S2S VPN. You just need to be sure that connectivity is there between the vpn devices.

2) yes, if there is NAT on the loadbalancer to 1.1.1.1 then you will be able to setup a S2S VPN between the ASA and a remote site.

--
Please remember to select a correct answer and rate helpful posts