Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
4
Replies

v9.4 static policy-nat for VPN

pwmsonpbs
Level 1
Level 1

‎02-15-2017 09:56 AM - edited ‎03-12-2019 01:56 AM

I'm trying to wrap my head around the new NAT in v8.4 and greater - specifically 9.4.
For a VPN policy I need to NAT hosts before encryption.
I have a need to upgrade a 5510 running 8.2(5) and one of the issues is NAT.
I'm familiar with 8.2 policy-nat in this situation.

Example Local to Global Translation
NAT 10.1.1.1 to 20.1.1.1
NAT 10.1.1.2 to 20.1.1.2
!
object network Local-10.1.1.1_32
 host 10.1.1.1
object network Global-20.1.1.1_32
 host 20.1.1.1
!
object network Local-10.1.1.2_32
 host 10.1.1.2
object network Global-20.1.1.2_32
 host 20.1.1.2

object-group network LocalHosts
 network-object object Local-10.1.1.1_32
 network-object object Local-10.1.1.2_32
object-group network GlobalHosts
 network-object object Global-20.1.1.1_32
 network-object object Global-20.1.1.2_32
!
object network RemoteNET-30.1.1.0_24
 subnet 30.1.1.0 255.255.255.0

In the simple case of just one host to translate I have before my auto NAT:
nat (inside,outside) 1 source static Local-10.1.1.1_32 Global-20.1.1.1_32 destination static RemoteNET-30.1.1.0_24 RemoteNET-30.1.1.0_24

Since the above is not identity-nat I can't add no-proxy-arp route-lookup to the end.

Also the 'match address' ACL in the crypto map would look like:
access-list Global-2-Remote extended permit ip object GlobalHosts object RemoteNET-30.1.1.0_24


So my question is do I just add more NAT statements for each additional Local/Global pair or can I use an object-group(s) in one NAT statement?

Thanks for your help.

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎02-15-2017 10:01 AM

If each Local/Global pair has it's own translation, then you need one NAT-entry for each element. But all systems that share the same NAT (or NAT exemption) can be grouped into an object-group.

0 Helpful

pwmsonpbs
Level 1
Level 1
In response to Karsten Iwen

‎02-15-2017 10:32 AM

I do have more that one remote network for each VPN policy so I know I can create an object-group for them:

nat (inside,outside) 1 source static LOCAL GLOBAL destination ALLREMOTEs ALLREMOTEs

I understand the separate NAT-entry for each Local/Global pair (as I posited), but I'm not following you about the object-grouping.  Can you elaborate on that with an example?

0 Helpful

Karsten Iwen
VIP
VIP
In response to pwmsonpbs

‎02-15-2017 10:46 AM

An example could be that you want to exempt all traffic from NAT that uses private addresses. There you have an object-group with three entries:

object-group network RFC1918
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

This object-group can be used in a NAT-statement to exempt the traffic from NAT regardless if it's a 10/8, 172.16/12 or 192.168/16 address:

nat (any,outside) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp route-lookup

0 Helpful

sharlino
Level 1
Level 1
In response to Karsten Iwen

‎02-16-2017 03:04 AM

Hello Karsten! Does NAT exemption mechanism translate an address into itself or it does not translation at all ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card