cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
505
Views
0
Helpful
1
Replies

s2s VPN with double NATs in 8.3

joerggrau
Level 1
Level 1

I am moving an existing VPN tunnel from an 8.0(4) ASA to an 8.3(2) ASA appliance and the previous config will not translate over.

In the existing tunnel I am using both Internal NATs to get to the other end of the tunnel and external NATs for the customer to get to internal hosts.

In essence the configuration is like this:

Internal host --> customer server:

SRC 1.51.6.5  --> DST 1.51.6.34

--> After NATing:

SRC 8.8.8.132 DST 140.140.140.1

I have a route that sends all traffic bound to 140.140.140.1 via the VPN peer address, which in 8.0(4) results of the traffic being shoved into the VPN tunnel.  In 8.3 the same does not work.

Packet traces show that the VPN lookup is not performed until I add the real SRC IPs intot he cryptomap, which I am trying to avoid as our customer would have to add it into their crypto map and it would defeat the whole idea of NATing in the first place!

I have looked all over the Internet, but cannot find anything besides explanations on how NAT is now different.

Any help would be appreciated.

Thanks

Joerg

1 Reply 1

Yudong Wu
Level 7
Level 7

In 8.3, you should use real IP in ACL instead of NAT-ed IP.

For example, you have a static NAT to nat 1.1.1.1 to a public IP, in pre 8.3, when you want to permit the incoming traffic to this host, you use the public IP in ACL. But in 8.3, you should use 1.1.1.1.

So, you have to use real IP even it has been NAT-ed. You should see NAT happening in your packet-trace output, on the remote end, they should see NAT-ed IP instead of real IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: