Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
1
Replies

Site to Site VPN with NAT ASA v9.0

g_vvenkov
Level 1
Level 1

‎09-17-2015 04:01 PM - edited ‎03-11-2019 11:37 PM

Hello,

I have cisco ASA with v9.0 which resides between LAN and Internet. ASA terminates number of L2L VPNs. One of the VPN is interesting which I would need a help.

This L2L VPN looks like:

(MyLAN) 192.168.0.0/16, 10.8.0.0/16  >>>dynamic PAT >>>> Public IP ============ VPN tunnel ========== 10.183.0.0/16 (remote site LAN)

Setup is that communication is always initiated from MyLAN towards Remote LAN. Dynamic PAT is in use because in the Remote LAN there is a same private space, but its smaller than the MyLAN.

Dynamic NAT on ASA at MyNET is done like:

nat (inside,outside) source dynamic MyNET Public_IP destination static Remote_LAN Remote_LAN

Everything works fine. So far so good.

Request now is that specific hosts on Remote LAN have to communicate to specific hosts and ports in MyLAN. Communication will be initiated from Remote LAN. Looking at the ASA configuration guide 9.0 I conclude that I would need to set on ASA at MyLAN policy NAT as follows

nat (inside,outside) source static Remote_HOSTS Remote_HOSTS destination static MyLAN_Server1 Public_IP service MyLAN_Server1_7501 Public_IP_27503

I am looking for this because I want static PAT at MyLAN to happen if the source is from this RemoteLAN and to not mess with the other VPNs on the same ASA. In the documentation for ASA 9.0 is stated:

Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

Could you please advice me whether this will work and is good approach or what should I consider also?

Labels:
0 Helpful
1 Reply 1

John Forester
Level 1
Level 1

‎09-18-2015 02:12 PM

Hi G,

You have an interesting problem, and I am no expert. But I believe you might consider the order of your NAT statements to help protect yourself, if you haven't already thought of it.

In the below Cisco article for version 9.0, see table 1-1

It stipulates that NATs are checked in the order they are listed in the configs

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_overview.html

I also believe your NAT will work, however I have found that NATs only work with network objects, and not network groups. So you may have to put in several NAT statements if you have Remote_HOSTS that are not all in the same subnet.

Good Luck!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card