Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
3
Helpful
5
Replies

ASA1100: Is this correct IPsec VPN NAT statement?

jmaxwellUSAF
VIP
VIP

‎11-27-2023 08:54 AM - edited ‎11-27-2023 08:57 AM

Hello.

INTENT: On an ASA1100, create config for a successfully bi-directionally NATted IPsec VPN.

Authentic local server address= 172.16.0.1
NATted local server address as seen from the remote LAN= 10.55.0.1

Authentic remote server address= 192.168.7.7
NATted remote server as seen from the local LAN= 10.155.7.7

nat (Inside,Outside) 7 source static host 172.16.0.1 host 10.55.0.1 destination static host 10.155.7.7 host 192.168.7.7

QUESTIONS: Is above NAT statement correct, ESPECIALLY the logic "destination static host 10.155.7.7 host 192.168.7.7"?
(or should this read "destination static host 192.168.7.7 host 10.155.7.7"?)

Thank you.

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-27-2023 09:01 AM

@jmaxwellUSAF use a network object that represents the hosts and reference the object in the NAT rule.

 

jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-27-2023 09:21 AM

Understood.

What about the NAT rule logic? May you please confirm it is correct?...

QUESTIONS: Is above NAT statement correct, ESPECIALLY the logic "destination static host 10.155.7.7 host 192.168.7.7"?
(or should this read "destination static host 192.168.7.7 host 10.155.7.7"?)

0 Helpful

Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-27-2023 09:25 AM - edited ‎11-27-2023 09:32 AM

@jmaxwellUSAF the logic is correct if 192.168.7.7 is the real destination IP and 10.155.7.7 is the translated destination, you must  use network objects to represent each in the NAT rule. Example:-

nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST

jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎11-27-2023 09:46 AM

May you please clarify my confusion?

My config= "nat (Inside,Outside) 7 source static host 172.16.0.1 host 10.55.0.1 destination static host 10.155.7.7 host 192.168.7.7"

Currently i do NOT have "nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST"

i currently have "nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static TRANSLATED-DST ORIGINAL-DST because my intent is when my local server sends packets to this remote destination, these LAN packets will have in the destination address "TRANSLATED-DST", and when these packets hit the VPN tunnel, I need them to change to the remote server's authentic IP address "ORIGINAL-DST".

QUESTION: Now that you understand my intent, may you tell me/ confirm the correct NAT statement?

Thank you.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎11-27-2023 09:59 AM - edited ‎11-27-2023 10:01 AM

@jmaxwellUSAF The NAT statement is correct, just reflect the correct IP address in the network objects. In regard to destination in the NAT rule, the first destination object is the IP address the clients communicate with (the real IP address of the destination), which is translated to the IP address of the second object.

 

Customers Also Viewed These Support Documents