Solved: Cisco ASA Site to Site IPSEC VPN and NAT question

Parves Ataev · ‎03-27-2012

Hi Folks,

I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses

Just an example:

Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)

The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)

It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)

Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.

Appreciate if someone can shed some light on it.

Jouni Forss · ‎03-27-2012

Hi,

Ok so were going with the older NAT configuration format

To me it seems you could do the following:

Configure the ASA1 with Static Policy NAT
- access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- access-list INSIDE-NONAT remark L2LVPN NONAT
- access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
- nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
- ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0

I could test this setup tomorrow at work but let me know if it works out.

Please rate if it was helpful

- Jouni

View solution in original post

Jouni Forss · ‎03-27-2012

Hi,

What software are you running on the ASAs?

Just asking because the NAT configurations changed when moving from 8.2 -> forward (8.3 , 8.4 , 8.5)

Parves Ataev · ‎03-27-2012

Hi JouniForss,

Both ASAs have Version 8.0(2) software. I'm implementing this setup in lab environment.

Thanks

Jouni Forss · ‎03-27-2012

Hi,

Ok so were going with the older NAT configuration format

To me it seems you could do the following:

Configure the ASA1 with Static Policy NAT
- access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
- access-list INSIDE-NONAT remark L2LVPN NONAT
- access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
- nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
- ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
- ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0

I could test this setup tomorrow at work but let me know if it works out.

Please rate if it was helpful

- Jouni

Parves Ataev · ‎03-27-2012

Thanks Jouni,

I had a feeling that i would use a Static Policy NAT, but had some doubts regarding the traffic flow logic. I'll try this now and let you know.

Parves

Jouni Forss · ‎03-27-2012

Hi,

I've actuall done a sametype of NAT setup on our own network.

Though in that case I did around 20 of single address static policy nat translations instead of doing one for the whole network.

So should work

Parves Ataev · ‎03-28-2012

Spot on Jouni,

works like a charm. Thanks for a help. One more thing though, I need some clarification if you don't mind. When host N2 communicates with host N1 (10.23.1.5) ASA1 performs translate, how come? Before I though that if I apply Static Policy Nat the direction of policy is from inside to outside. Like you said that policy nat dictates if traffic from inside interface and from inside network going to X destination then translate it to x.x.x.x , but to me it does not make sense that how ASA 1 knows that it needs to translate incoming traffic from ASA2 via tunnel. Lets see this from ASA2 perspective, as far as i understand from this setup is that when interesting traffic enters ASA2 then ASA2 routes the traffic via tunnel <<< 10.1.0.1="" ="" 10.23.1.5="">>>, ASA1 receives it (I could not figure out this part) translates dest. to real ip (192.168.1.5). The weirdest part is about last octet. How ASA1 knows that it needs to translate 10.23.1.5 to 192.168.1.5 (lets assume that this is the first packet in entire communication from host N2(initiator) to host N1?

Many Thanks

Jouni Forss · ‎03-28-2012

Hi,

Never had a really thorough understanding of the process itself. Usually I have enough time to make things to work but not enough to really read up on the theory behind the actual process.

I think the reason is simply that the NAT is bi-directional. So it works both directions. ASA sees traffic coming to host on network 10.23.1.0/24 so it finds a matching rule to that traffic when its going through its own process of forwarding the traffic. (sees the Static Policy NAT configuration, same thing works with NAT0 I guess)

The question about the real and NAT IP last octect staying the same most probably relates to the fact that the source network in the access-list is with network mask of /24 (just like to NAT network 10.23.1.0/24) and as both the NAT address and access-list address end with ".0" it matches the untranslated and translated address by the last octect.

This is how I understand it. I'm sure though that someone can explain it a bit better

- Jouni

Parves Ataev · ‎03-28-2012

Never mind. I was thinking something similar to it about real and NAT ip, but as long things work, the life is good. Thanks for your help.

ALIAOF_ · ‎04-21-2012

I'm wondering instead of doing it like this can this work as well?

"nat (inside) 5 192.168.1.5"

"global (outside) 5 10.23.1.5

or something like:

"nat (inside) 5 192.168.1.0 255.255.255.248"

"global (outside) 5 10.23.1.1-10.23.1.5 netmask 255.255.255.248"