cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
3
Replies

Services over NAT

mohammedrafiq
Level 1
Level 1

                   Hi,

I am trying to conect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to 10.1.1.0/24 at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.

My question is

1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?

2- Has anyone running this kind of network and provide sample config for ASA 5520?

Regsrds,

1 Accepted Solution

Accepted Solutions

Hi,

I suggest doing NAT on both sites.

For Site A with ASA running 8.4 software the NAT configuration might look something like this

Base Information

  • Site A LAN: 192.168.1.0/24
  • Site A LAN NAT: 10.1.1.0/24
  • Site B LAN (NAT): x.x.x.x/24
  • Site A LAN interface = inside
  • Site A WAN interface = outside

Configuration

object network LAN-LOCAL

  subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

  subnet 10.1.1.0 255.255.255.0

object network REMOTE-LAN

  subnet x.x.x.x 255.255.255.0

nat (inside,outside) source static LAN-LOCAL LAN-NAT destination static REMOTE-LAN REMOTE-LAN

What the above configuration will do is

  • Do NAT between interfaces "inside" and "outside"
  • When Site A users connect from their LAN-LOCAL to REMOTE-LAN their NAT IP address will be LAN-NAT
    • This works both ways. When Site B REMOTE-LAN connect to LAN-NAT they will reach LAN-LOCAL of Site A
  • Also notice that since you are using this type of NAT that every LOCAL and NAT address will match eachother regarding the last portion of the IP address
    • 192.168.1.1 = 10.1.1.1
    • 192.168.1.2 = 10.1.1.2
    • 192.168.1.3 = 10.1.1.3
    • etc

As I said before I would suggest you ask the Site B admin to also NAT their local LAN 192.168.1.0/24 to something and then you can use that network range and insert to the above configuration to the place of x.x.x.x.

Please rate if you found the information helpfull

Also ask more if needed

- Jouni

View solution in original post

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Some questions

  • Do you manage both ASAs?
  • What are the ASAs software versions (need to know for the NAT/ACL configurations)

I guess you could use Static NAT to NAT Site A and B both to their own /24 NAT networks. I would personally start with this.

This would mean that if host 192.168.1.100 on Site A uses the L2L VPN it will show up as NAT IP x.x.x.100 and so forth. Same for the Site B. If you want to connect to a host there which has the real IP of 192.168.1.200 the actual NAT IP address would be y.y.y.200

EDIT: For DHCP to work over this connection I'd imagine you need to forward the DHCP messages as unicast instead of broadcast. In other words, you need a router with "ip helper-address" configuration on the LAN interfaces.

I'm not 100% sure would the ASA handle such a thing through VPN. Might be able to use the DHCP relay on ASA but I have never tried to configure it. I think that there was some Cisco employee document about it on the forums though.

- Jouni

Thanks  Jouni,

We only manage site A ASA version 8.4.Please can you paste some sample config for NAT(Static NAT to NAT Site A and B both to their own /24 NAT networks) as you sugussted.

Regsrds,

Hi,

I suggest doing NAT on both sites.

For Site A with ASA running 8.4 software the NAT configuration might look something like this

Base Information

  • Site A LAN: 192.168.1.0/24
  • Site A LAN NAT: 10.1.1.0/24
  • Site B LAN (NAT): x.x.x.x/24
  • Site A LAN interface = inside
  • Site A WAN interface = outside

Configuration

object network LAN-LOCAL

  subnet 192.168.1.0 255.255.255.0

object network LAN-NAT

  subnet 10.1.1.0 255.255.255.0

object network REMOTE-LAN

  subnet x.x.x.x 255.255.255.0

nat (inside,outside) source static LAN-LOCAL LAN-NAT destination static REMOTE-LAN REMOTE-LAN

What the above configuration will do is

  • Do NAT between interfaces "inside" and "outside"
  • When Site A users connect from their LAN-LOCAL to REMOTE-LAN their NAT IP address will be LAN-NAT
    • This works both ways. When Site B REMOTE-LAN connect to LAN-NAT they will reach LAN-LOCAL of Site A
  • Also notice that since you are using this type of NAT that every LOCAL and NAT address will match eachother regarding the last portion of the IP address
    • 192.168.1.1 = 10.1.1.1
    • 192.168.1.2 = 10.1.1.2
    • 192.168.1.3 = 10.1.1.3
    • etc

As I said before I would suggest you ask the Site B admin to also NAT their local LAN 192.168.1.0/24 to something and then you can use that network range and insert to the above configuration to the place of x.x.x.x.

Please rate if you found the information helpfull

Also ask more if needed

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: