Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1489
Views
0
Helpful
8
Replies

ASA PAT on same interface.

Rohan Sonawane
Level 1
Level 1

‎01-22-2015 07:33 AM

Hello,

 

We have a cisco ASA: ASA 5510 Security Plus license. Adaptive Security Appliance Software Version 7.2(5) (I know it is old).

ASA is currently configured for remote access ipces vpn and site-to-site ipsec vpn. Both terminate on outside interface. There are hosts on the inside interface. There are only two interfaces on ASA, inside and outside.

Both remote users and local hosts can reach the other end of site-to-site vpn. Currently local users are PATed when going to site-to-site vpn destination. Whereas remote access users are allocated a pool of IP addresses, and these remote users are sent with those assigned IP addresses.  Remote users have to first come to ASA and then ASA forwards their packets to site-to-site vpn destination.

My query is: Can I forward remote access users to site-to-site vpn destination with same PATed IP as local users are sent? Basically I'm asking for PATing on same interface.

I would like to add, ASA is already configured with following.                                                                                                                                                same-security permit intra-interface                 Same-security permit inter-interface                hairpinning. Please see attachment for n/w overview.

 

Thanks.

Labels:
Preview file
20 KB
0 Helpful
8 Replies 8

Rohan Padwal
Level 1
Level 1

‎01-22-2015 08:14 AM

Hi Rohan,

 

what is your ultimate goal i checked your topology do you want your RA clients to access 

the server behind the site to site VPN tunnel ?

please share the ip address of the users and the end server. 

if you can add in ip addresses and share the config it will be helpful

 

Thanks

Rohan

 

0 Helpful

Rohan Sonawane
Level 1
Level 1
In response to Rohan Padwal

‎01-22-2015 08:49 AM

Hi Rohan.

 

RA user can reach the server behind site-to-site tunnel. The ASA forwards RA users' traffic without NAT or PAT. My goal is, I want ASA to PAT the RA users' traffic when they are forwarded over site-to-site tunnel. It is same interface (outside) on which both, RA users and site-to-site tunnel are terminated.

In short I am looking for PATing on same interface.

 

Thank you.

Rohan

0 Helpful

Rohan Padwal
Level 1
Level 1
In response to Rohan Sonawane

‎01-22-2015 10:09 AM

yes this should be configurable which ASA IOS are you using?

is it 8.4x or higher ? or below 8.2

you will have to add the patted ip of the ASA in the cyrpto ACL and same has to be done 

on the head end vpn terminating device in reverse fashion.

 

Example

A--is Remote access network

B-Remote end server network

C-Patted ASA IP

 

Crypto ACL on ASA

C----->>> B

Crypto ACL on the remote en device 

B----->>>>C

 

Thanks

Rohan

 

0 Helpful

Rohan Sonawane
Level 1
Level 1
In response to Rohan Padwal

‎01-22-2015 10:59 PM

Hi Rohan,

I understand you are trying to help. But you may want to read original post, it answers all your question. You are advising about interesting traffic. I need a solution for a step Before that, PATing.

But, to make my query clearer, please see below:

A= IP add allocated to RA by ASA.
B= site-to-site server.
C= outside interface.
P= PAT IP.
L= Local users on inside interface.

Both, RA users and site-to-site vpn tunnel are terminated on outside interface.

CURRENT TRAFFIC FLOW.
 If A wants to go to B
    A first comes to C.
    ASA forwards A as source IP and B as destination IP.

 If L wants to go to B
    ASA does PAT and changes source IP to P and B as destination IP.

What I want.
 If A wants to go to B
    A firsts comes to C.
    ASA to do PAT on A to change it to P. Then ASA to forward P as source IP and B as destination IP.
 For L it should behave the same way.

Thanks.

Rohan

0 Helpful

Rohan Padwal
Level 1
Level 1
In response to Rohan Sonawane

‎01-23-2015 01:20 AM

Hi Rohan,

 

This Explanation is pretty helpful.

what you are trying to achieve is configurable :)

which  ASA IOS are you using? for 8.2 ,8.4 the natting is different 

will try to create the NAT statements as per your code.

+++++++++++++Just to be on same page this is what you want++++++++++++

When A--->communicates with B it will be patted to P  this communication will be bidirectional.

 

Thanks

Rohan

 

0 Helpful

Rohan Sonawane
Level 1
Level 1
In response to Rohan Padwal

‎01-23-2015 11:18 PM

Hi, Rohan.

 

Yes, that was my goal, and I accomplished it with policy PAT :-) .

  1. ACL - Intresting traffic.
  2. NAT - Refer ACL as source.
  3. Global IP - Refer to NAT as IP before PAT.

 

Thanks for you interest in the discussion.

 

Rohan.

 

 

 

0 Helpful

Poonam Garg
Level 3
Level 3

‎01-22-2015 11:58 PM

Hi Rohan,

 

Are you using the same IP address subnet for Remote vpn users as that of your local users?

Please share the VPN configuration, NAT/PAT and VPN ACL configuration on ASA to check the possibility.

0 Helpful

Rohan Sonawane
Level 1
Level 1
In response to Poonam Garg

‎01-23-2015 01:16 AM

Hello Poonam,

 

We are using a separate pool of IPs for RA.

For now forget about network topology. Lets start fresh. My basic query: PATing on same interface. Sort of like nat (outside,outside). Is it possible?

 

Thanks,

Rohan.

0 Helpful
Customers Also Viewed These Support Documents