Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
2
Replies

Allowing NAT Exemption and Policy NAT traffic in same Site to Site VPN Tunnel

abushayeed.anwarali
Level 1
Level 1

‎01-20-2020 07:35 AM

Hello,

 

We have Site to Site VPN connectivity with one our partner, We are trying to leverage the access more as per the below details

 

1.) When Remote A users want to access the Remote B servers, at remote A it will be source NATed 

2.) When Remote A Servers want to access the remote B servers it will be no NAT

 

3.) When Remote B users want to access the Remote A servers at Remote B it will be source NATed

4.) When Remote B server wants to access the remote A servers it will be no NAT

 

My big query was,

In the encryption domain ACL consider at remote site A, I have to allow the access from same remote site subnets with my no NAT server IP's as well as Source NATed public IP in the same ED ACL.

 

Will it cause any issues or it will work out

 

Ex:   ( ED ACL)

****

IP access-list extended test

10 permit ip 10.10.0.0 0.0.0.255 192.0.0.0 0.0.255.255  - > For server to Server communication (NO NAT traffic)

20 permit ip host 200.10.1.1. 192.0.0.0 0.0.255.255   --> From users to Server communication (Source NATed traffic)

 

 

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎01-20-2020 08:01 AM

Hi,
For #3 - You would need another ACL entry for Remote B users NAT IP address to Remote A servers network. You would also obviously need to define the correct NAT exemption rules aswell.

HTH
0 Helpful

abushayeed.anwarali
Level 1
Level 1
In response to Rob Ingram

‎01-20-2020 10:41 AM

I have 4 subnets at remote A

10.10.0.0/16 - Server
10.20.0.0/16 - Server
172.12.0.0/24 - User subnet
172.18.0.0/24 - User subnet

Remote B subnet :
192.0.0.0/16

Consider my route and NAT statement at remote A is as follows:

 

Note : Remote A subnet and Remote B subnet don't have overlap networks


ip route 192.0.0.0 255.255.0.0 VPN Gateway

ip access-list extended NAT_ACL
permit ip 172.12.0.0 0.0.0.255 192.0.0.0 0.0.255.255
permit ip 172.18.0.0 0.0.0.255 192.0.0.0 0.0.255.255


ip nat pool NAT_IP 200.10.1.1 200.10.1.1 prefix-length xx
ip nat inside source list NAT_ACL pool NAT_IP vrf HHBP overload

 

IP access-list extended test
10 permit ip 10.10.0.0 0.0.0.255 192.0.0.0 0.0.255.255 - > For server to Server communication (NO NAT traffic)
15 permit ip 10.20.0.0 0.0.0.255 192.0.0.0 0.0.255.255 - > For server to Server communication (NO NAT traffic)
20 permit ip host 200.10.1.1 192.0.0.0 0.0.255.255 --> From users to Server communication (Source NATed traffic)
25 permit ip 192.0.0.0 0.0.255.255 host 89.11.1.1 --> Allow access from remote site B users ( source NATed at there remote b end)

 

Would like to know will there be any issue/impact in implementing the above scenaraio. Because i am not using NAT exemption statement, only doing the policy nat for certain traffic and leaving all the other traffic plain with out NAT. Whether this will create any issue to Site to Site VPN tunnel

Also using the same subnet (192.0.0.0/16) for both NAT and No NAT in encryption domain ACL will create any issue.

Please share me your thoughts

 

 

0 Helpful
Customers Also Viewed These Support Documents