Source NAT for IPSec Site 2 Site VPN

rjadhav163 · ‎06-29-2016

Hi Guys,

So I have like 50 people from 10.1.1.0/24, who have static IPs and want to connect to a remote site.

This remote site is of our Business-Partner and our employees access that remote site through IPSec S2S VPN. So basically when our employees access 192.168.10.0/24 network then the firewall automatically establishes this IPSec S2S to remote peer.

This was so far ok.

Now, for some reasons, our Business Partner says that we must use our Local Net to be 10.20.30.0/29 which was previously 10.1.1.0/24.

This means that on Business Partner Firewall only 10.20.30.0/29 will be entered as remote network.

So the question is: Can my employees still use 10.1.1.0/24 network and I would just use Source NAT mapping 10.1.1.0/24 to 10.20.30.0/29 so that nothing changes for my employees?

Thanks and Regards,

Francesco Molino · ‎06-29-2016

Hi

On you asa, you have a nat exemption today that looks like

nat (inside,outside) source static USERS-SUBNET USERS-SUBNET destination static
REMOTE-LAN REMOTE-LAN

You should modify it as:

nat (inside,outside) source static USERS-SUBNET USERS-NEW-SUBNET destination static
REMOTE-LAN REMOTE-LAN

You don't need to modify anything internally just modify the nat to show up your local users appearing with new subnet.

The new USERS-NEW-SUBNET would be a new object group configured as subnet.

Hope this is clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

David99 · ‎06-29-2016

This is what I was thinking, however the fact that his real network is a /24 and the mapped network will be a /29...there may be capacity issues

Typically in this situation, it will match the last octet.

With the /29, you don't have many IP's to NAT to when considering 1:1 NAT (just 8!)

If you will always initiate the traffic and only you need to access the business partner network (as opposed to them initating connections to you) then PAT will work. You can use a pool perhaps.

However, I don't think the initial suggestion of simply mapping a /24 to a /29 is going to work, though I don't base that on direct experience as I have never tried it as always avoided it.

Francesco Molino · ‎06-29-2016

Hey,

You're right, I've not seen that the destination mapped network was a /29.

Then in that case you can use dynamic instead of static but you can run out of available IP if everyone is going to mount a session.

You can mix a dynamic NAT + PAT. I'll copy the Cisco doc link instead of retyping all commands:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html

Sorry again for that mistake, I'm answering every posts through my mobile and I missed the /29

I've never had the opportunity to test it with L2L vpn but it should work

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rjadhav163 · ‎06-29-2016

Hi supportlan and David99,

Thanks for your answers. However, to be more accurate, I have created another thread with more precise nets and my own NAT Statements. Could you guys have a look there and please give suggestions. Here is the link to new thread:

https://supportforums.cisco.com/discussion/13058566/nat-ipsec-s2s-tunnel-after-using-anyconnect-ra-ssl-vpn

This thread can then be closed.

Thanks and Regards,