Re: Public IP NATed to Internal IP that is on the other side of a router/SD-WAN

stownsend · ‎02-28-2021

Went From a all intern WAN to a SD-WAN.

before SD-WAN I mapped 16 of my Public IPs to a Local DMZ Subnet off my ASA-5525-X Allowed RDP and piped that VLAN directly to a Virtual Machine in the Remote Office. Remote user was only able to get to the VM itself. After the Class, they Revert to snapshot on the VM and shut it down. The reason for this non-secure hack job is that the VMs are Connecting Directly to Hardware that is in the Remote Office. We cannot Virtualize the Hardware (the stuff we Sell to customers) to be able to have the Class in the Cloud. It’s not feasible to move all of the Training Room Hardware and Training PCs from the three remote offices to the HQ Office which has no Training Center.

I still have the ASA 5525-x with the Public IPs at HQ. Can I Do a public to private NAT to a private IP that’s at the remote office and send it there via the SD-WAN even though the private IP subnet Of the remote office is not on the ASA, but the ASA knows how to get to the Remote Office? ( AnyConnect Users can remote in and get to it)

Can you think of a Creative way to do this? Virtual IP?

Thank you!

Sheraz.Salim · ‎03-01-2021

I still have the ASA 5525-x with the Public IPs at HQ. Can I Do a public to private NAT to a private IP that’s at the remote office and send it there via the SD-WAN even though the private IP subnet Of the remote office is not on the ASA, but the ASA knows how to get to the Remote Office? ( AnyConnect Users can remote in and get to it)

object network Real

host 1.1.1.1

object network RealMap

host 192.168.x.x

!

nat (outside,inside) source static Real RealMap

if you need anyconnect user to reach from outside to inside

nat (outside,inside) source dynamic Anyconnectpool RealMAP

please do not forget to rate.

stownsend · ‎03-01-2021

Below is the relevant portions of my config.

Public IPs changed to 10.X.Y.X/24

Subnet 172.16.10/24 Is on the other side of of an L3 Router that is connected to (inside)

I can Hit the web page of that device. that L3 Router's Default Gateway is the ASA, so this is seems a bit simpler that an IP on the Remote SD-WAN. I need to get to the other end of an SD-WAN Connection. 172.16.100.9.

I do not know how to Map the Public IP (10.10.10.9) to Virtual IP 172.16.254.9, then Map 172.16.254.9 to 172.16.100.9 , and then have the Remote 100 SD-WAN (172.16.100.1) know that the Virtual IP subnet 172.16.254.0 is back at HQ's SD-WAN (172.16.1.1) and then Hit the ASA (172.16.1.1) which knows about the Virtual IP Subnet. (172.16.254.0)

Internet -> 10.10.10.254
       -> ASA(Virtual IP 172.16.254.9 Map to 172.16.100.9) 
       -> Route to  HQ SD-WAN 172.16.1.1 
       -> Pass Over SD-WAN to 172.16.100.1
       -> Handoff to 172.16.100.9

And then return Back to the ASA.

HQ Site

172.16.1.1
	Route Table
        172.16.10.0     - L3 Route to Local Subnet 172.16.1.3 
	172.16.100.0	- SD-WAN to Remote 172.16.100.1
	172.16.101.0	- SD-WAN to Remote 172.16.101.1
	172.16.102.0	- SD-WAN to Remote 172.16.102.1
	172.16.103.0	- SD-WAN to Remote 172.16.103.1
        172.16.254.0    - Virtual IP Range on ASA 172.16.1.2

Tracing route to 172.16.100.9 over a maximum of 30 hops

  1    172.16.1.3   [HQ Local L3 Router]
  2    172.16.1.1   [HQ SD-WAN Device]
  3    172.16.100.1 [Remote Office 100's SD-WAN Device]
  4    172.16.100.9 [Remote Office Device]

Remote Site 100

172.16.100.1
	Route Table
	172.16.1.0	- SD-WAN to Remote 172.16.1.1
	172.16.101.0	- SD-WAN to Remote 172.16.101.1
	172.16.102.0	- SD-WAN to Remote 172.16.102.1
	172.16.103.0	- SD-WAN to Remote 172.16.103.1
	172.16.254.0	- SD-WAN to Remote 172.16.1.1  - Virtual IP Range on ASA 172.16.1.2

Tracing route to 172.16.1.3 over a maximum of 30 hops
1	172.16.100.1	[Remote Office 100's SD-WAN Device]
2	172.16.1.1	[HQ SD-WAN Device]
3	172.16.1.3	[HQ Local L3 Router]

object network NETWORK-HQ
 subnet 172.16.1.0 255.255.255.0
!
object network NETWORK-TRAINING-100
 subnet 172.16.100.0 255.255.255.0
!
object network NETWORK-TRAINING-101
 subnet 172.16.101.0 255.255.255.0
!
object network NETWORK-TRAINING-102
 subnet 172.16.102.0 255.255.255.0
!
object network NETWORK-TRAINING-103
 subnet 172.16.103.0 255.255.255.0
!
!
!
interface GigabitEthernet0/0
 description 10 Network Outside IP
 nameif outside-10
 security-level 0
 ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
 description 20 Network Outside IP
 nameif outside-20
 security-level 0
 ip address 10.20.20.2 255.255.255.0
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
 policy-route route-map PBR
!
!
!
object network NETWORK-VPN-POOL
 subnet 10.200.200.0 255.255.255.0
!
object network Remote-Test-EXT
 host 10.10.10.254
!
object network Remote-Test-INT
 host 172.16.10.9
!
access-list outside-10_access_in extended permit tcp any4 object Remote-Test-INT eq 80
access-list outside-10_access_in extended permit tcp object Remote-Test-EXT eq 80 object Remote-Test-INT eq 80
access-list 10-Static-PBR-ACL extended permit ip  object Remote-Test-INT any
!
object network Remote-Test-INT
   nat (inside,outside-10) static Remote-Test-EXT
!
route-map PBR permit 10
 match ip address 10-Static-PBR-ACL
 set ip next-hop 10.10.10.1
!
route-map PBR permit 20
 match ip address 20-Static-PBR-ACL
 set ip next-hop 10.20.20.1
!
route-map PBR permit 30
 match ip address Internal-Dynamic-PBR-ACL
 set ip next-hop 10.20.20.1
!
route hbg-inside 172.16.100.0 255.255.255.0 172.16.1.1 1
route hbg-inside 172.16.102.0 255.255.255.0 172.16.1.1 1
route hbg-inside 172.16.103.0 255.255.255.0 172.16.1.1 1
route hbg-inside 172.16.104.0 255.255.255.0 172.16.1.1 1
route hbg-inside 172.16.10.0  255.255.255.0 172.16.1.3 1