Solved: Asa using double nat one end of Ipsec tun for Ip subnet change

tryingtofixit · ‎12-27-2024

I have an existing 10.5.0.0/24 subnet with servers on them that vendors contact via Ipsec tunnel. their destination is to our server on the 10.5.0.x subnet

We need to change our internal IP's from 10.5.0.0/24 to 10.10.116.0/24 but not have the vendors on their side of the tunnel make changes. Vendors on other side of the ipsec tunnel will still be contacting the 10.5.0.0/24 subnet.

We want to use a double nat on our side to convert the 10.5.0.x to a 10.10.0.x ip. I need 1to1 nats, I can't nat the entire subnet.

object network existingwebv01
host 10.5.0.245
description existingwebv01

object network obnat-10.10.116.130
host 10.10.116.130
description new nat for internal existing webv01

nat (inside,inside) source static existingwebv01 obnat-10.10.116.130 no-proxy-arp route-lookup

would this be all that is required?

when the server replies back 10.10.116.130, will the inside/inside nat handle the reverse translation, or do I have to flip it?

nat (inside,inside) source static obnat-10.10.116.130 existingwebv01 no-proxy-arp route-lookup

Thanks

MHM Cisco World · ‎12-27-2024

Correct NAT will be

nat (inside,Outside) source static existingwebv01 obnat-10.10.116.130 Remote-LAN Remote-LAN

Also dont forget to config ACL of IPSec using mapped IP not real IP

MHM

View solution in original post

MHM Cisco World · ‎12-27-2024

Correct NAT will be

nat (inside,Outside) source static existingwebv01 obnat-10.10.116.130 Remote-LAN Remote-LAN

Also dont forget to config ACL of IPSec using mapped IP not real IP

MHM

tryingtofixit · ‎12-27-2024

I already have nat statements that take groups of servers "no nat" them so they can go down the tunnel as 10.5.x.x

vend on the other end should NOT get a 10.10.116.x ip, they should continue to get the old 10.5.x.x IP.

I already have nat statements that allow the 10.5.x.x down tunnels as 10.5.x.x to vendors endpoints.

MHM Cisco World · ‎12-27-2024

I dont totally get what are you try here but check this example maybe it help you

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

MHM

tryingtofixit · ‎12-27-2024

thanks for the link. We need to change IPs on servers that live on the 10.5.0.0/24 network to 10.10.116.0/24. these servers are already nated and being contacted to vendors on the other side of the ip tunnel.

changing IP's would require a re-do of crypto-maps, routes, etc. So we want to keep the old IP of the server 10.5.0.0/24 and NAT it to a new 10.10.116.0/24 ip on the asa on our side. So when vendor contacts 10.5.0.100, it get nated on our firewall to 10.10.116.100. I am looking for 1to1 nat per server, not dynamically applying a nat to a subnet range. Does that help?

MHM Cisco World · ‎12-27-2024

nat (inside,Outside) source static obnat-10.10.116.130 existingwebv01 Remote-LAN Remote-LAN

No need any more no-NAT.

This command will simply will NAT traffic destiantion send by remote Peer from subnet

object network existingwebv01
host 10.5.0.245

To

object network obnat-10.10.116.130
host 10.10.116.130

Note:- if your ACL of IPsec using 10.5.0.245 subnet then keep it dont change it.

MHM

MHM Cisco World · ‎01-01-2025

Any update?

MHM

tryingtofixit · ‎01-02-2025

key part was missing "THE ORDER" my (inside,outside)static 1.1.1.1 2.2.2.1, have to be first before processing the nats that contain object groups. nice to know if you paste in cli nats with line numbers, all other nats line numbers will be pushed down and renumbered automatically.

MHM Cisco World · ‎01-02-2025

That why I ask for update' I see your second post about NAT renumber' so I want to know what exactly issue.

After your last reply I think I know issue.

There are two important factor asa use for run order NAT

1- type

2- number <<- number here is use only if there are multi NAT in same type

MHM