10-22-2012 11:34 AM - edited 03-11-2019 05:12 PM
Hi All,
Please let me know if we have the option to configure Persistent NAT or address persistency in Cisco ASA .
Please go through below details and my exact requirement:
Our internal network is 10.x.x.x/8. We have a Lan-2-Lan VPN partner (192.168.10.x/24).
We have dual firewall architecture. VPN is configured on ASA (8.2) with IP allowed. Internal firewall is (FWSM 4.2) which is directly connected to ASA.
Our side encryption list configured as
acl-vpn permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
As the partner's network address 192.168.10.x/24 is not routable in our domain, we have done policy based NAT as below:
acl-nat-out2in permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (outside) 100 access-list acl-nat-out2in
global (inside) 100 10.80.80.1-10.80.80.254
VPN tunnel is established and working.
Requirement:
When a request comes from the pre NAT IP, the host portion should match with the IP of the NAT pool.
i.e if the pre NAT IP is 192.168.10.1, then it always should use IP 10.80.80.1 . from the pool and so on.
In Cisco routers we can achieve this by using "type match-host" key word to the ip nat pool.
Likewise do we have the option in Cisco ASA ? I verified many sites/documentations but without success.
Juniper has this option.
Regards, Rajender
Solved! Go to Solution.
10-30-2012 07:34 AM
Hi,
One to one mapping between two networks of equal size can be configured in your case with:
static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0
OR
access-list L2L-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0
static (outside,inside) 10.80.80.0 access-list L2L-VPN-POLICYNAT netmask 255.255.255.0
I might have to double check those (So try at your own risk ), but those are the configuration options that came into my mind first. They should keep the original / NAT IP addresses "identical" when it comes to the last portion of the IP address.
- Jouni
10-22-2012 01:29 PM
Hello Rajender,
Actualy that is how it behaves, if you have a /24 as the pool and the global is a /24 as well then the ASA will perform a one to one mapping.
You can create captures to check this out.
Regards,
10-30-2012 07:27 AM
Hi jcarvaja,
Thanks for the reply. But I might have not clearly explained my request.
I verified the NAT translations. Firewall is creating a one to one mapping but each time the pre NAT IP is taking a different a IP from the NAT pool (10.80.80.1 - 254).
e.g. two days before pre NAT IP 192.168.10.1 was mapped to 10.80.80.223. Today it got mapped to 10.80.80.67.
The host portion of the pre NAT should always match with the host portion of the post NAT IP as below:
e.g.: 192.168.10.1 -- > 10.80.80.1
192.168.10.2 -- > 10.80.80.2
192.168.10.3 -- > 10.80.80.3
::::::
::::::
192.168.10.254 -- > 10.80.80.254
Regards, Rajender
10-30-2012 07:34 AM
Hi,
One to one mapping between two networks of equal size can be configured in your case with:
static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0
OR
access-list L2L-VPN-POLICYNAT permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.0.0.0
static (outside,inside) 10.80.80.0 access-list L2L-VPN-POLICYNAT netmask 255.255.255.0
I might have to double check those (So try at your own risk ), but those are the configuration options that came into my mind first. They should keep the original / NAT IP addresses "identical" when it comes to the last portion of the IP address.
- Jouni
11-20-2012 09:09 AM
Hi Jouni,
Sorry for very late response.
Thanks for the information. It works fine as per requirement when I configured as below:
static (outside,inside) 10.80.80.0 192.168.10.0 netmask 255.255.255.0
Once again thanks a lot.
Regards, Rajender
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide