06-06-2019 06:47 PM - edited 02-21-2020 09:40 PM
Ok let's say that I want to just NAT some internal hosts to an object_30.1.1.1 which is local allowed IP for IPSEC ACL on local ASA so remote ASA does not have to be changed. What is the best way to do it?
Should I create an Object with a subnet range for the hosts if they are all in the same subnet?
What if they are all different IPs or they may need to change or be removed, should I just create an object for each host and configure nat under the object as below?
object network NAT_Host_IPSEC
nat (Inside,Outside) static object_30.1.1.1 no-proxy-arp
exit
object network NAT_Host2_IPSEC
nat (Inside,Outside) static object_30.1.1.1 no-proxy-arp
etc. etc.
Or configure globally:
nat (Inside,Outside) source static NAT_Host_IPSEC object_30.1.1.1 destination static SiteB_LAN SiteB_LAN no-proxy-arp
nat (Inside,Outside) source static NAT_Host2_IPSEC object_30.1.1.1 destination static SiteB_LAN SiteB_LAN no-proxy-arp
etc. etc.
My NAT syntex even right?
Configs of local ASA with IPSEC tunnel:
ASA1:
crypto ikev2 policy 3
encryption aes
integrity sha
group 3
lifetime seconds 86400
exit
crypto ipsec ikev2 ipsec-proposal PH-4
protocol esp encryption aes-256
protocol esp integrity sha-1
exit
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123
exit
access-list VPN_SiteB_ACL extended permit ip object object_30.1.1.1 object SiteB_Internal_Lan log info
crypto map ASA1-MAP_SiteB 1 match address VPN_SiteB_ACL
crypto map ASA1-MAP_SiteB 1 set peer 20.20.20.20
crypto map ASA1-MAP_SiteB 1 set ikev2 ipsec-proposal PH-4
crypto map ASA1-MAP_SiteB interface Outside
crypto ikev2 enable Outside
sysopt connection permit-vpn
06-07-2019 01:53 AM
Hi,
I would group those network objects and use the network object group as the original source in the nat rule. This way you only have one NAT entry and any modifications you just add the network object to the group. The translated source would still be your object_30.1.1.1 object.
object NAT_HOSTS_GROUP
network-object object NAT_Host_IPSEC
network-object object NAT_Host2_IPSEC
nat (INSIDE,OUTSIDE) source static NAT_HOSTS_GROUP object_30.1.1.1 destination static SiteB_LAN SiteB_LAN
HTH
06-07-2019 07:25 AM
06-07-2019 07:29 AM
06-07-2019 04:27 PM
Choose - Add NAT rule before "NAT object" NAT rules, then:
-Original packet-
Source address: NAT_HOSTS_GROUP
Destination address: SiteB_Internal_Lan
-Translated packet-
Source NAT type: Dynamic PAT hide
Source address: object_30.1.1.1
Destination address: SiteB_Internal_Lan
Run a packet tracer to confirm the NAT rule is picked when the proxy ACL gets hit.
HTH.
06-08-2019 07:18 AM
06-08-2019 07:23 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: