Solved: Natting an IP address to another IP address which is source IP of IPSEC Tunnel on ASA

CiscoBrownBelt · ‎06-03-2019

What if I want to NAT an internal IP address to another IP address that should be allowed to transverse an IPSEC tunnel on an ASA? Example, I have 160.1.1.10 address that I want to be Natted to 170.1.1.10 which is an source IP allowed to reach 200.1.1.10 destination IP of the IPSEC tunnel?

In addition to my NAT statement which is:

"Object-Nat" natting static 160.1.1.10 to 170.1.1.10 and choosing Inside interface as source interface (160.1.1.10 host is in the Inside interface) and Outside interface (IPSEC tunnel starts/exits Outside interface on both Local and Remote Tunnel/ASA devices,

Do I need to create another ACL rule which would be applied to the Crypto Map ACL or no since the Crypto Map ACL is already defining/allowing source address 170.1.1.10 to reach remote destination IP 200.1.1.10?

Rob Ingram · ‎06-04-2019

Hi,
You can create a NAT rule with original source (160.1.1.10) translated source 170.1.1.10 and original/translated destination the same. As 170.1.1.10 is the source defined in your crypto ACL, any traffic from 160.1.1.10 will be translated to 170.1.1.10 and be sent over the tunnel without modifying the crypto ACL. E.g:-

object network HOST_160
host 160.1.1.10
object network HOST_170
host 170.1.1.10

nat (INSIDE,OUTSIDE) source static HOST_160 HOST_170 destination static REMOTE REMOTE no-proxy-arp

HTH

View solution in original post

Marvin Rhoads · ‎06-04-2019

The underlying syntax is:

nat (<source interface>,<destination interface>) source static <original source> <natted source> destination static <original destination> <natted destination>

Thus you need to specify the same destination twice when you are changing the destination address.

View solution in original post

Rob Ingram · ‎06-04-2019

Hi,
You can create a NAT rule with original source (160.1.1.10) translated source 170.1.1.10 and original/translated destination the same. As 170.1.1.10 is the source defined in your crypto ACL, any traffic from 160.1.1.10 will be translated to 170.1.1.10 and be sent over the tunnel without modifying the crypto ACL. E.g:-

object network HOST_160
host 160.1.1.10
object network HOST_170
host 170.1.1.10

nat (INSIDE,OUTSIDE) source static HOST_160 HOST_170 destination static REMOTE REMOTE no-proxy-arp

HTH

CiscoBrownBelt · ‎06-04-2019

Awesome thats what I thought thanks!
What do the REMOTE REMOTE represent again?

Rob Ingram · ‎06-04-2019

In this instance REMOTE just represents the name of an object, as an example.

HTH

CiscoBrownBelt · ‎06-04-2019

Oh ok but why 2 of the same Object names meaning entering the object twice?

Marvin Rhoads · ‎06-04-2019

The underlying syntax is:

nat (<source interface>,<destination interface>) source static <original source> <natted source> destination static <original destination> <natted destination>

Thus you need to specify the same destination twice when you are changing the destination address.

CiscoBrownBelt · ‎06-06-2019

Awesome thanks!

CiscoBrownBelt · ‎06-06-2019

Ok does adding nat statements (natting one or few object hosts to allowed source object) for IPSEC tunnel have any negative impacts meaning I could do it while tunnel is being used correct?

CiscoBrownBelt · ‎06-06-2019

Ok does adding nat statements (natting one or few object hosts to allowed source object) for IPSEC tunnel have any negative impacts meaning I could do it while tunnel is being used correct?