01-18-2012 01:34 PM - edited 03-11-2019 03:16 PM
Hi All,
I have a scenario I have been trying to work out how to do and just cannot work out. I am sure someone on here with a lot more experience then me will answer this very easily.
We have an ASA5510 running version 8.25. This is in our central office in London. The London network has an ip address range of 10.110.128.0/22. Connected to this via a site-to-site VPN we have a satellite office that has an IP address range of 172.16.148.0/22.
We have now connected to our parent company via another site-to-site VPN connected to the same ASA5510. Their network has an internal range of 10.110.18.0/24. It was our parent company that issued us with our range of addresses a long while ago so that it all fits in with the rest of the company.
We have resources (web servers) on their network that we use which work just as it all should. We now want to allow our satellite office to view those same web servers. The problem is that only 10.110 addresses can flow to our parent company.
I have configured the firewall at our central office and our satellite office to route across to our parent company via our network network and the packets are flowing just fine except that obviously once they reach our firewall they cannot go to our parent company because the 172.16.148 range cannot be routed there.
My idea is to NAT traffic from our satellite office to one of our local addresses before it goes over to our parent company network.
For example: If someone in our satellite office with an IP address of 172.16.150.5 attempts to request a resource from 10.110.18.12 then the request would go via the VPN to our firewall and then get NATed to 10.110.131.200 before being passed on to our parent company network.
My question is what would the NAT configuration be to achieve this. I just cannot work out what type of NAT I would need or how to construct the command. It's probably PAT as it will be multiple addresses to a single address. Essentialy, all traffic from 172.16.148.0/22 destined for 10.110.18.0/24 should get NATed at our firewall to 10.110.131.200 before being passed on.
Just to add, we already have this working from our Cisco 3000 Concentrator which is now going to be phased out hence trying to get this to work on our ASA. The satellite office has now been moved to the ASA and as of today our parent company has been moved to the ASA.
Many thanks in advance.
Steve
01-18-2012 01:58 PM
Hello Lang,
The nat for that would be like this:
nat (outside) 11 172.16.148.0 255.255.252.0 outside
global (inside) 11 10.110.131.200
So all users on the outside from the subnet 172.16.148.0 /22 will be natted to the inside to 10.110.131.200
Hope this helps ( Do not forget the keyword outside on the nat (outside)
Regards,
Julio
01-18-2012 02:09 PM
Many thanks for that but I have a question.
Will that only NAT if the request is destined for the 10.110.18.0 subnet. There are actually other VPNs connected to the firewall where it needs to keep it's original IP address of 172.16.148.0. The only time it should NAT is if it is going on to the 10.110.18.0 subnet.
01-18-2012 11:45 PM
Hi,
Then you should do a Policy NAT from outside to inside specifying the traffic with access-list
In this case using the above example the configuration would look something like this
access-list VPN-POLICY-NAT permit ip 172.16.148.0 255.255.252.0 10.110.18.0 255.255.255.0
global (inside) 11 10.110.131.200
nat (outside) 11 access-list VPN-POLICY-NAT
The above configurations access-list tells the ASA to apply the NAT of ID 11 only when traffic is coming from outside interface from network 172.16.148.0/22 to inside network 10.110.18.0/24.
To my knowledge the only thing that could override this configuration would be a NAT0/NAT Exempt configuration if it is somehow overlapping the above networks.
Please feel free to correct me but the above NAT configuration seemed to me what you were looking for
- Jouni
01-19-2012 05:10 AM
Many thanks for all your help. The commands that worked in the end were:
access-list VPN-POLICY-NAT permit ip 172.16.148.0 255.255.252.0 10.110.18.0 255.255.255.0
global (outside) 11 10.110.131.200 netmask 255.255.255.255
nat (outside) 11 access-list VPN-POLICY-NAT
So very similar except it was (outside) instead of (inside) on the global command. I couldn't have worked it out without the help from you guys.
Best Regards
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide