Solved: Re: asa5506 inside nat question

Kevin Palivec · ‎01-16-2023

let me start by saying i don't do allot of VPN work so this is a little out of my wheelhouse.

the issue is:

I have a VPN tunnel between my office and a vendor. they want me to nat a machine on my side to another ip so it wont conflict with their internal addressing EX: NAT 10.73.6.160 to 10.255.14.86 and the machine needs to be able to send to their internal ip of 208.78.140.29 on port 5002

I'm doing this in ASDM with a network object NAT rule that Nat s 10.73.6.160 to 10.255.14.86

in advanced tab source and destination are set to inside and service is set to tcp port 5002 on real and mapped port

here's my issue. when I set the port to 5002 i get connectivity to their remote machine but I lose internet connectivity on my machine.

if I remove the port and leave it blank I get internet but no VPN connectivity.

I realize this is vague but I'm hoping someone will understand and say "here's what you're doing wrong dummy!!"

Kevin

Rob Ingram · ‎01-16-2023

@Kevin Palivec how did you configure your NAT rule?...please provide screenshot.

You need a Manual NAT rule, when communicating with the vendor IP address you need to translate the original IP address to the NAT address.

Here is an example from the CLI.

object network REAL
 host 10.73.6.160
object network NAT
 host 10.255.14.86
object network VENDOR
 host 208.78.140.29
!
nat (inside,outside) source static REAL NAT destination static VENDOR VENDOR

This should be checked before your NAT rule for internet access, so would not conflict.

You crypto ACL that defines the VPN traffic would need to reflect the NAT IP address, not the real IP address.

View solution in original post

balaji.bandi · ‎01-16-2023

how about doing like below example - since it overlapping IP :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Kevin Palivec · ‎01-16-2023

ill check it out! thanks! hopefully itll shed some light for me!

Kevin

Rob Ingram · ‎01-16-2023

@Kevin Palivec how did you configure your NAT rule?...please provide screenshot.

You need a Manual NAT rule, when communicating with the vendor IP address you need to translate the original IP address to the NAT address.

Here is an example from the CLI.

object network REAL
 host 10.73.6.160
object network NAT
 host 10.255.14.86
object network VENDOR
 host 208.78.140.29
!
nat (inside,outside) source static REAL NAT destination static VENDOR VENDOR

This should be checked before your NAT rule for internet access, so would not conflict.

You crypto ACL that defines the VPN traffic would need to reflect the NAT IP address, not the real IP address.

Kevin Palivec · ‎01-16-2023

here is a screen shot of the nat ive done. if a leave the ports empty i get connectivity though the tunnel but loose internet. if I add them I get internet but loose the remote host.

my hunch is that all traffic is going to the remote machine and thats why I can ping the remote server but loose internet. and vice versa

Rob Ingram · ‎01-16-2023

@Kevin Palivec that's because you are translating all traffic to 10.255.14.86, including traffic to the internet.

Use the example I provided above to translate traffic going to the vendor IP address. Internet traffic would not match that rule and continue to be translated by the existing NAT rule (the one that works).

Kevin Palivec · ‎01-16-2023

YES!! that fixed my issue! I knew it was something dumb I was doing!

Thanks!! ive been beating my head on this for a week! I learned something new!

Kevin

MHM Cisco World · ‎01-16-2023

can you share
show run nat ?

MHM Cisco World · ‎01-16-2023

I think there is additional work here, anyway if you face any issue share show run nat here.
good luck