Re: Configure AR VPN to S2S VPN with 8.3

jcattaneo · ‎07-12-2011

Hello,

I am definitely not a fan of ios 8.3, and specialy the change about "nat".

I trying to use this example :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

for creating RA VPN with access to an S2S VPN.

everything is good except :

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.1.0 255.255.255.0

Because, this example is for an 8.2 ios (or above), and i have a 8.3...

Someone could help me by changing the rules in 8.3 format (and explain, please !)

Another question :

What the bestway to use this example, but with a single "nat" for all outbound traffic (I want all outgoing traffic (on the main FW) to be seen from a single domain encryption)

thks

Jennifer Halim · ‎07-13-2011

Please kindly provide the "inside_nat0_outbound" access-list entries so we can help with the format in version 8.3 as version 8.3 does not use ACL anymore in the NAT exemption statement.

For your other question, do you mean instead of configuring NAT exemption for the VPN traffic, you would actually like to NAT it to a single IP address? Do you mean the nat/global pair in ASA 8.2 and earlier?

So from your example above, you would like the command for:

global (outside) 1 interface

nat (inside) 1 172.16.1.0 255.255.255.0

And the outside interface will be the source IP of the crypto ACL for your VPN?

jcattaneo · ‎07-13-2011

Hello,

the access-list entries look like this :

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 20.20.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.10.120.0 255.255.255.0 20.20.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.10.120.0 255.255.255.0access-list inside_nat0_outbound extended permit ip 10.10.120.0 255.255.255.0 10.10.10.0 255.255.255.0

And the nat :

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.1.0 255.255.255.0

I have the same configuration as in the example above (see the cisco link in the first post).

My way is to adapt the configuration of that example, to use in a version 8.3.

All the command line are identical in 8.3. Except, as you say, the "nat" and the acl in nat exemption.

And the problem is here for me

The last question, is a variant of the example, don't care for the moment, i found the solution...

Jennifer Halim · ‎07-15-2011

OK, you can't use ACL anymore, so it will be slightly difference.

Here is the example for the first 2 lines of the NAT exemption in version 8.3:

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

object network obj-20.20.20.0

subnet 20.20.20.0 255.255.255.0

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-10.10.10.0 obj-10.10.10.0

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-20.20.20.0 obj-20.20.20.0

For the dynamic NAT:

object network obj-172.16.1.0-dyn

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Here is documentation for your reference:

Network object NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Twice NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html

Hope that helps.

jcattaneo · ‎07-15-2011

Thanks a lot...

A last question.

If the network 20.20.20.0 is a remote VPN access, and we use the following command :

same-security-traffic permit intra-interface

We must change somethings?

Best... I do this test :

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

description ip range for nat source

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.0

description ip range for internal network

object network obj-20.20.20.0

subnet 20.20.20.0 255.255.255.0

description ip range for remote vpn access

object network obj-20.20.50.0

subnet 20.20.50.0 255.255.255.0

description ip range destination

object-group network DM_INLINE_NETWORK_1

network-object object obj-10.10.10.0

network-object object obj-20.20.20.0

nat (any,outside) source static DM_INLINE_NETWORK_1 obj-172.16.1.0 destination static

obj-20.20.50.0 obj-20.20.50.0

(I use "any" because the range 20.20.20.0 is a remote vpnn, with an access by the outside interface)

It's correct ? or i do something wrong ?

thks

Jennifer Halim · ‎07-15-2011

My recommendation is try not to use "any" if it's even possible.

From experience, "any" causes lots of problem, especially difficult to troubleshoot.

I would configure all NAT statement with specific subnets, and specific interfaces.

I know this is a lot of configuration to configure, but at least you know that it is specific, and there is less likely to be any issue, therefore, mostly likely it will just work without any troubleshooting.

Even with the old NAT statement with ACL, it is also recommended to be specific, and I always find that when you are specific, there is less to none problem.

From your above example, I am not quite sure what you are trying to achieve for the 20.20.20.0 network. Please remember that the NAT exemption is bi-directional, so you only need to configure the NAT statement in 1 direction, not both. And normally it is in the direction from inside towards the outside.

In any case, from your above example, it's incorrect. You can't NAT DM_INLINE_NETWORK_1 (which consist of multiple subnets) to just 1 class C subnet (172.16.1.0/24). And this is also not NAT exemption, this is becoming NATing because you are trying to NAT 10.10.10.0/24 and 20.20.20.0/24 to 172.16.1.0/24, which is not supported anyway. You can NAT 1 class C to another class C, but you can't NAT 2 class C into 1 class C.

Actually, going back to your original NAT exemption ACL, it looks incorrect, because you configure it bi-directional. It just needs to be configured in 1 direction.

Not quite sure of the following lines:


access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 
255.255.255.0 
access-list inside_nat0_outbound extended permit ip 20.20.20.0 255.255.255.0 10.10.10.0 
255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.120.0 255.255.255.0 20.20.20.0 
255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.10.120.0 
255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.120.0 255.255.255.0 10.10.10.0 
255.255.255.0

Destination subnet can't be source subnet. Eg: 10.10.10.0/24, 20.20.20.0/24 and 10.10.120.0/24,
has been configured as both source and destination subnet which is incorrect.
If you apply this in the inside interface, all source should be subnets behind the inside interface,
and all destination should be all subnet behind outside interface.

jcattaneo · ‎07-18-2011

Thanks for your reply !

I am also not a fan of "any", then i will separate the nat rule.

about the NAT from 2 network class C to 1 class C, i understand my mistake. Then, if i reduce the network,with something like that :

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

description ip range for nat source

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.224

description ip range for internal network

object network obj-20.20.20.0

subnet 20.20.20.0 255.255.255.224

description ip range for remote vpn access

So in this case, it will work ?

In any case, i prefer to explain my situation and the objective (it will be clear, I hope) :

I have 3 network :

-(a) local network : 10.10.10.0 255.255.255.0

-(b) Remote VPN access : 20.20.20.0 255.255.255.???

-(c) Remote network (client) : 20.20.50.0 255.255.255.0

the objective is to provide access to two networks (a & b) to the client network (c), but the client wants to allow a single source network: 172.16.1.0 255.255.255.0

Thansk for your time and explanation !