Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15538
Views
0
Helpful
5
Replies

Destination NAT over VPN on ASA

Go to solution
ncustodio
Level 1
Level 1

‎05-28-2010 11:11 AM

My heading may not make any sense and depending on the perspective it could either be a source or destination NAT.  Whatever it maybe here is my scenario.

My environment has just about 100 IPSec L2L tunnels to our customers.  The customers have a server that we need access to, hence the VPN tunnel.  As our business grows and we add more customers overlapping IP address of customer servers will become a common issue.  That way I get around it now is I ask the customer to Policy NAT their source IP address of their server to a public address which is then encrypted and sent over the VPN tunnel.  I have been getting some resistance from customer on this mainly because they don’t want to use a public IP address or don’t know how to policy nat or it’s just not possible in there scenario.  So I’m tossing around the idea of controlling the NAT of the customers server on my end.  The big question here is, can the ASA NAT the source address of a particular host coming across a VPN tunnel (Outside Interface) going to my (Inside interface).  If so it will allow me to control the customers host IP address such that it will never overlap  I hope I made sense here, if I need to draw a diagram and can do one quickly.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gatlin007
Level 4
Level 4

‎05-28-2010 01:10 PM

This absolutely makes sense and is becoming more and more of an issue in enterprise networks.  You can NAT the customer addresses after the packets are decrypted.

Your internal network: 10.1.1.0/24
Customer encrypted network: 10.2.2.0/24

You discover 10.2.2.0/24 in your enterprise routing table and determine there is an overlapping IP address problem.

Build the IPSEC rules (Interesting traffic selection) to account for the addresses the customer will send through the tunnel.  Then install the following static in based on 172.16.1.0/24 not being currently used in your network.

static (outside,inside) 172.16.1.0 10.2.2.0 255.255.255.0

# If a route is needed install this static – may need to redistribute
# into the IGP.
route outside 172.16.1.0 255.255.255.0


Christopher Gatlin
http://www.travelingtech.net

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-28-2010 01:14 PM

Hi,

Sure you can..

For example let' say you have this:

Your inside LAN = 10.0.0.0/8

Remote Site1 internal LAN = 10.1.1.0/24

Remote Site2 internal LAN = 10.2.2.0/24

To avoid the overlapping problem in this scenario normally the Policy NAT is done on the remote end.

However, if not wanted to do it on the remote end, you can do it on your side (asuming you want to NAT the remote 10.1.1.0/24 to 192.168.1.0/24 and 10.2.2.0/24 to 192.168.2.0/24)

static (out,in) 10.1.1.0 192.168.1.0 netmask 255.255.255.0

static (out,in) 10.2.2.0 192.168.2.0 netmask 255.255.255.0

In this case your internal 10.0.0.0/8 will see both remote LANs as 192.168.x.0

Federico.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
gatlin007
Level 4
Level 4

‎05-28-2010 01:10 PM

This absolutely makes sense and is becoming more and more of an issue in enterprise networks.  You can NAT the customer addresses after the packets are decrypted.

Your internal network: 10.1.1.0/24
Customer encrypted network: 10.2.2.0/24

You discover 10.2.2.0/24 in your enterprise routing table and determine there is an overlapping IP address problem.

Build the IPSEC rules (Interesting traffic selection) to account for the addresses the customer will send through the tunnel.  Then install the following static in based on 172.16.1.0/24 not being currently used in your network.

static (outside,inside) 172.16.1.0 10.2.2.0 255.255.255.0

# If a route is needed install this static – may need to redistribute
# into the IGP.
route outside 172.16.1.0 255.255.255.0


Christopher Gatlin
http://www.travelingtech.net

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-28-2010 01:14 PM

Hi,

Sure you can..

For example let' say you have this:

Your inside LAN = 10.0.0.0/8

Remote Site1 internal LAN = 10.1.1.0/24

Remote Site2 internal LAN = 10.2.2.0/24

To avoid the overlapping problem in this scenario normally the Policy NAT is done on the remote end.

However, if not wanted to do it on the remote end, you can do it on your side (asuming you want to NAT the remote 10.1.1.0/24 to 192.168.1.0/24 and 10.2.2.0/24 to 192.168.2.0/24)

static (out,in) 10.1.1.0 192.168.1.0 netmask 255.255.255.0

static (out,in) 10.2.2.0 192.168.2.0 netmask 255.255.255.0

In this case your internal 10.0.0.0/8 will see both remote LANs as 192.168.x.0

Federico.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎05-28-2010 01:16 PM

Sorry...

static (out,in) 192.168.1.0 10.1.1.0  netmask 255.255.255.0

static (out,in) 192.168.2.0 10.2.2.0  netmask 255.255.255.0

Federico.

0 Helpful

Go to solution
Binoy
Level 1
Level 1
In response to Federico Coto Fajardo

‎08-16-2018 06:39 AM

what should be the crypto ACL in that case? whether we need to add any route anywhere for the remote nework?

0 Helpful

Go to solution
ncustodio
Level 1
Level 1

‎06-01-2010 07:31 AM

Thanks for the help guys.  I will be testing that out sometime this week or next.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents