Solved: asa 8.4(1) source-nat over site-to-site vpn

Thompso7540_2 · ‎03-06-2014

I am setting up a site-to-site vpn tunnel and require nat for the local and remote side. The remote side will nat to

10.2.255.128/25 on their side before they reach our network, so i will only need to source-nat our servers through the tunnel to them. Do i just have to make static nats and then allow the entire subnet through the interesting-traffic acl like the below config? I don't believe i have to use twice-nat because i'm not trying to perform destination nat on this firewall. The servers at our side will communicate to 10.2.255.128/25 and i want to preserve that through the ASA.

object network ServerA

host 10.1.0.1

nat (inside,outside) static 10.2.255.1

object network ServerB

host 10.1.0.2

nat (inside,outside) static 10.2.255.2

object network ServerC

host 10.1.0.3

nat (inside,outside) static 10.2.255.3

object-group network LOCAL_SUBNET

network-object 10.2.255.0 255.255.255.128

object-group network REMOTE_SUBNET

network-object 10.2.255.128 255.255.255.128

access-list VPN_ACL extended permit ip object-group LOCAL_SUBNET object-group REMOTE_SUBNET

thanks,

jj27 · ‎03-06-2014

Your configuration looks correct, but I have a couple of comments. Remember that NAT occurs before routing so your servers will be translated to 10.2.255.2 and 10.2.255.3 and then sent across the tunnel so your encryption domain is correct.

Is this your internet firewall as well? What about your servers going out to the internet? They will be NATed to 10.2.255.2 and 10.2.255.3 and that will fail as far as internet routing is concerned. If those servers reach the internet through the firewall I would recommend a configuration like this for each of your servers:

object network ServerA_NAT

host 10.2.255.1

nat (inside,outside) source static ServerA ServerA_NAT destination static REMOTE_SUBNET REMOTE_SUBNET

This will use destination based NAT for the VPN traffic and NAT everything else to a public IP for internet traffic. Of course, if this is not your internet firewall then disregard.

View solution in original post

jj27 · ‎03-06-2014

Your configuration looks correct, but I have a couple of comments. Remember that NAT occurs before routing so your servers will be translated to 10.2.255.2 and 10.2.255.3 and then sent across the tunnel so your encryption domain is correct.

Is this your internet firewall as well? What about your servers going out to the internet? They will be NATed to 10.2.255.2 and 10.2.255.3 and that will fail as far as internet routing is concerned. If those servers reach the internet through the firewall I would recommend a configuration like this for each of your servers:

object network ServerA_NAT

host 10.2.255.1

nat (inside,outside) source static ServerA ServerA_NAT destination static REMOTE_SUBNET REMOTE_SUBNET

This will use destination based NAT for the VPN traffic and NAT everything else to a public IP for internet traffic. Of course, if this is not your internet firewall then disregard.

Thompso7540_2 · ‎03-06-2014

this is a dedicated VPN environment. So if this server has a packet here, it will definitley go out the VPN; we have another firewall/routing point downstream from this that would route internet traffic to a different place.

cool. thanks for verifying and thanks for the policy-based destination example.

jj27 · ‎03-06-2014

Gotcha. Thanks for confirming. Good luck!