cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
689
Views
10
Helpful
6
Replies
CiscoBlueBelt_Stripe
Frequent Contributor

Best way to NAT multiple hosts to a allowed source host for IPSEC tunnel on ASA

Ok let's say that I want to just NAT some internal hosts to an object_30.1.1.1 which is local allowed IP for IPSEC ACL on local ASA so remote ASA does not have to be changed. What is the best way to do it? 

 

Should I create an Object with a subnet range for the hosts if they are all in the same subnet?
What if they are all different IPs or they may need to change or be removed, should I just create an object for each host and configure nat under the object as below?

object network NAT_Host_IPSEC
nat (Inside,Outside) static object_30.1.1.1  no-proxy-arp

exit

object network NAT_Host2_IPSEC

nat (Inside,Outside) static object_30.1.1.1  no-proxy-arp

etc. etc.

 

Or configure globally:

nat (Inside,Outside) source static NAT_Host_IPSEC object_30.1.1.1 destination static SiteB_LAN SiteB_LAN no-proxy-arp

nat (Inside,Outside) source static NAT_Host2_IPSEC object_30.1.1.1 destination static SiteB_LAN SiteB_LAN no-proxy-arp

etc. etc.

My NAT syntex even right?

 

Configs of local ASA with IPSEC tunnel:

ASA1:
crypto ikev2 policy 3
encryption aes
integrity sha
group 3
lifetime seconds 86400
exit
crypto ipsec ikev2 ipsec-proposal PH-4
protocol esp encryption aes-256
protocol esp integrity sha-1
exit
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123
exit

access-list VPN_SiteB_ACL extended permit ip object object_30.1.1.1 object SiteB_Internal_Lan log info
crypto map ASA1-MAP_SiteB 1 match address VPN_SiteB_ACL
crypto map ASA1-MAP_SiteB 1 set peer 20.20.20.20
crypto map ASA1-MAP_SiteB 1 set ikev2 ipsec-proposal PH-4
crypto map ASA1-MAP_SiteB interface Outside
crypto ikev2 enable Outside

sysopt connection permit-vpn

 

6 REPLIES 6
Rob Ingram
VIP Mentor

Hi,

I would group those network objects and use the network object group as the original source in the nat rule. This way you only have one NAT entry and any modifications you just add the network object to the group. The translated source would still be your object_30.1.1.1 object.

 

object NAT_HOSTS_GROUP
 network-object object NAT_Host_IPSEC
 network-object object NAT_Host2_IPSEC

nat (INSIDE,OUTSIDE) source static NAT_HOSTS_GROUP object_30.1.1.1 destination static SiteB_LAN SiteB_LAN

 

HTH

Awesome thanks!

 

Do you happen to know what options I would choose if doing this from ASDM? See attached.

Also, this could be implemented on a VPN connection without negative impact correct?

Awesome. Do you happen to know how to configure this via ASDM? Do I choose just "Add Object NAT"? see attachment.

Also, there should not be any negative impact implementing this while IPSEC tunnels are in use correct?

Choose - Add NAT rule before "NAT object" NAT rules, then:

-Original packet-

Source address: NAT_HOSTS_GROUP

Destination address: SiteB_Internal_Lan 

-Translated packet-

Source NAT type: Dynamic PAT hide

Source address: object_30.1.1.1 

Destination address: SiteB_Internal_Lan 

Run a packet tracer to confirm the NAT rule is picked when the proxy ACL gets hit.

HTH.

 

 

Awesome! I will get back to you and let you know status ASAP.

Also, adding NAT statements like this (natting multiple ojbects/group to source interface of IPSEC tunnel connection) should not have any negative impact on the connection correct?
Content for Community-Ad