So the only way is to nat before the VPN. I didn't want to have to do that, as then we can't define source traffic per the radius auth the ISP is using to match IP traffic to user. If we nat then pump down the tunnel, all the traffic is from a single source IP that doesn't match an IP in the auth database for the ISP gateway.

I'll give it a 4 rating as it is an pretty good guide to nat before manipulating outside traffic, but i alreay know how to do that.

I know how to use nat in 8.4, I just don't have a test 5510, only a few basic 5505s 10 users in stock for some smaller clients.

what i need to do, is define traffic to 80/443 from a subset of the lan subnets, pump that down the l2l VPN, and pump the rest out the overflow. Not split the nat out different interfaces, but split the policy nat for the L2L VPN (or nonat on 8.2 as they don't have smartnet for upgrade)

I'd prefer they just get a barracuda or another pass through device, but they believe sales people before their own IT consulting company apparently.

Hi,

The example NAT configuration for WWW specifically keeps the source address intact. The only NAT configuration that NATs to a single IP address is just an example to illustrate that the other type of connections still hit the Default PAT rule. Only the network defined with WIRELESS object with destination TCP/80 gets NATed to itself (or rather not NATed at all) so that it potentially hits the L2L VPN with its real source IP address.

And you can easily modify and add similiar NAT configurations to choose which internal networks WWW traffic is NATed this way (or as stated NOT NATed) and keep rest of the networks using the actual Internet connection rather than the L2L VPN.

- Jouni

I see that it keeps the IP when it NATs to the port 80. How would I get that down a VPN.

Normal VPN nat (as below) will ensure defined interesting traffic doesn't global nat and tries to go down the defined VPN tunnel.

8.2:  access-list nonat extended permit ip

        nat (inside) 0 access-list nonat

8.3

nat (inside,outside) source static destination static

If I'm starting to understand it correctly, to use your example of port based policy mapping, I would nat my subnet to itself only for www (as it is going to be a destination of "any" as I it is outbound) and my VPN is still defined as that subnet with that port. so:

object network LAN-WEBFILTER

subnet 10.0.3.0 255.255.255.0

object network LAN-NOFILTER

subnet 10.0.3.0 255.255.255.0

object-group service WEBPORTS

service-object tcp eq 80

service-object tcp eq 443

object network any-NOFILTER

host

nat (inside,outside) source static LAN-WEBFILTER LAN-WEBFILTER service WEBPORTS WEBPORTS

nat (inside,outside) after-auto source dynamic wireless-network any-NOFILTER

so, now that traffic is hitting the outside interface as the source IP, instead of the globally natted "overflow" ip (to borrow a term from the router side of things), the VPN interesting traffic ACL should regocnize the IPs.

okay, I was reading on my phone before I didn't quite get it, thanks so much. I think I understand what you were going for, the secondary definition of the after-auto command was what I was missing before, I didn't know you could do that.

I'll see if they are up for renewing the smartnet so we can upgrade to 8.4.

Hi,

The basic idea in the above new NAT format configuration was the following

• The LAN network will not be NATed when the connection coming to the ASA is heading anywhere behind the "outside" interface and with the destination service TCP/80
• Provided that the L2L VPN ACL defines the local source as the local LAN network the TCP/80 traffic should match the L2L VPN interesting traffic after the NAT operations have been gone through by the ASA and it reaches the VPN phase.
• Naturally any other destination port traffic will not match this NAT rule and therefore probably hits another default NAT/PAT rule and therefore also NOT hit the L2L VPN connection and head out normally out the "outside" interface.
• Naturally if you need the same behaviour for multiple services you will configure a similiar NAT rule for all of them.

I was wondering if we could do the same with the 8.2 software (or below)

I was thinking of a NAT configuration like this

access-list L2L-VPN-POLICYNAT permit tcp 10.0.255.0 255.255.255.0 any eq www

access-list L2L-VPN-POLICYNAT permit tcp 10.0.255.0 255.255.255.0 any eq https

static (inside,outside) 10.0.255.0 access-list L2L-VPN-POLICYNAT

This to my understanding should do pretty much the same as the new software format. There are naturally differences between the software levels which make them a bit different to handle. The new software gives a lot more options to modify the existing NAT rule order while the old isnt that flexible.

- Jouni

I'm not even going to try to mess with it in 8.2 or older. I've done nat -> vpn on it before for vendor VPNs requiring specific source IPs. not fun, much easier on 8.4.

I'll take your advice and do seperate nats for each service instead of a service group. Thanks again, make sense now that I had some time to sit down and obsorb it.

We are getting a quote to a client for smartnet (they declied the last one we sent during their renewal )

Ok,

I would be a bit hesitant myself playing around with 8.2 NAT

I think actually that the ASA 8.3+ doesnt accept "object-group service" in the NAT configurations. And as "object service" can only contain one entry I guess it makes for multiple NAT configuration lines/objects depending on the needs.

- Jouni

it's supposed to, but we can't get it to work for inbound PAT, so we just have 30 object lines.

object network EXCH-WEB

object network EXCH-SMTP

etc..

thanks again, I knew I could probably nat to external IP per port, then send down VPN (I've done that a few times already), but I would lose source IP for radius auth. at the gateway. I didn't think about doing a service policy NAT before the VPN with 8.3+. Makes all the sense in the world to me now.

Jeff