Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
5
Helpful
4
Replies

Configure NAT for object-group in 8.3

Go to solution
MICHAEL BURNS
Level 1
Level 1

‎12-03-2013 01:33 PM

I am working on a project to simplify our routing by NAT'ing the IP's of our S2S VPN clients.  Currently, the we have a bunch of routes pointing to various destinations which are created by the S2S VPN's.  I would like to NAT all of those destinations to IP's within a single subnet, but have a question regarding the configuration.

As you can see, we aren't currently NAT'ing anything:

***************************************************************************************************************************************************************

nat (inside,outside) source static OUR_HOSTS OUR_HOSTS destination static THEIR_HOSTS THEIR_HOSTS no-proxy-arp route-lookup

object-group network OUR_HOSTS

network-object object VIP1

network-object object VIP2

object network VIP1

host 10.200.125.32

object network VIP2

host 10.200.120.32

object-group network THEIR_HOSTS

network-object host 192.168.15.100

network-object host 192.168.15.130

network-object host 192.168.15.15

********************************************************************************************************************************************************************

What I would like to do is NAT the THEIR_HOSTS to a 10.200.192.x/24 address.  Can I NAT those to a single address and do NAT overload, or does there have to be an address for each of those 3 hosts?  I'm fine either way.  Whichever would be easier to do, please point me in the right direction.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to MICHAEL BURNS

‎12-04-2013 09:02 AM

Hi,

Seems otherwise fine but the "object-group" after the "destination static" are the wrong way.

First should be the "object-group" containing the NAT IP address and second the "object-group" holding the real/actual IP address of the destination host.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 01:41 PM

Hi,

You would have to do 1:1 NAT for each address to keep the connectivity in its original state. Except ofcourse the changed destination IP address to which your internal host connects to.

As NAT is done before L2L VPN it means that your source address NAT (or lack of) and destination address UN-NAT is done before VPN negotiations so it shouldnt required changes to the L2L VPN configurations either.

Naturally the easiest situation is when you can NAT a complete remote network to a same sized NAT subnet. The NAT configuration will stay clearer/simpler. Naturally if some L2L VPN only has host (/32) addresses then you will need more configurations.

So I would say do 1:1 NAT for the destination addresses. Either on a per host basis if the VPN setup in question demands it or 1:1 per subnet if the situation permits.

If you are running 8.3 software then I am not sure how the NAT will perform. What I mean is that your configuration is correct but I have had problems on certain ASA software to get the NAT configuration to be matched correctly even though everything is configured correctly. If you happen to run into problems with the setup I would consider upgrading the software to 8.4(7) for example

Hope this helps

- Jouni

Go to solution
MICHAEL BURNS
Level 1
Level 1
In response to Jouni Forss

‎12-04-2013 08:59 AM

Thanks, Jouni!  So, if I understand correctly, I would accomplish that by making these changes:

object network THEIR_HOST_1

   network-object host 192.168.15.100

object network THEIR_HOST_2

   network-object host 192.168.15.130

object network THEIR_HOST_3

  network-object host 192.168.15.15

object network THEIR_HOST_1_NAT

  network-object host 10.200.192.31

object network THEIR_HOST_2_NAT

  network-object host 10.200.192.32

object network THEIR_HOSTt_3_NAT

  network-object host 10.200.192.33

nat (inside,outside) source static OUR_HOSTS OUR_HOSTS destination static THEIR_HOST_1 THEIR_HOST_1_NAT no-proxy-arp route-lookup

nat (inside,outside) source static OUR_HOSTS OUR_HOSTS destination  static THEIR_HOST_2 THEIR_HOST_2_NAT no-proxy-arp route-lookup

nat (inside,outside) source static OUR_HOSTS OUR_HOSTS destination  static THEIR_HOST_3 THEIR_HOST_3_NAT no-proxy-arp route-lookup

Please let me know if I am on the right track.  Thanks!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to MICHAEL BURNS

‎12-04-2013 09:02 AM

Hi,

Seems otherwise fine but the "object-group" after the "destination static" are the wrong way.

First should be the "object-group" containing the NAT IP address and second the "object-group" holding the real/actual IP address of the destination host.

- Jouni

0 Helpful

Go to solution
MICHAEL BURNS
Level 1
Level 1
In response to Jouni Forss

‎12-04-2013 09:15 AM

Thanks, Jouni!  I had it backwards in my feeble head.    I think this will work perfectly.

0 Helpful
Customers Also Viewed These Support Documents