Solved: Hello Dean,

Dean Romanelli · ‎03-02-2016

Hi All,

I have the following 2 sites. One branch, one data center. Both running post 8.3 code.

(192.168.120.1(L3SW)-----------ASA)---------PUBLIC INTERNET----------(202.xxx.xx.242)ASA

DATA CENTER BRANCH

I need 192.168.120.1 to be able to ping 202.xxx.xx.242 for SLA purposes, so that means I need to NAT it at the internet breakout. However, I also need to be able to SSH from 192.168.120.1 over several VPN tunnels to other branches on private subnets.

How can I set up a NAT rule in my ASA so that if 192.168.120.1 is trying to talk to 202.xxx.xx.242, NAT out 192.168.120.1 to the internet, but any other destinations that 192.168.120.1 may need to talk to (i.e branch LAN over VPN), do not NAT?

David Castro F. · ‎03-02-2016

Hello Dean,

I would recommend a Twice NAT basically that is the same terminology as a "Policy NAT", you can specify that your source Host will be translated to certain IP address only when it is addressed to certain destination or destinations, so basically you may create an object network with the IP address of the source, other network object with the Public IP which you want to use to translate the 192.168.x.x address and then the destination network object, so it will be like this:

object network IP_192.168.120.1

host 192.168.120.1

object network TRANSLATED_IP_FOR_192.168.120.X

host 99.99.99.99 -> An example

Object network IP_202.XXX.XXX.242

host 202.XXX.XXX.242

Nat (inside,outside) source static IP_192.168.120.1 TRANSLATED_IP_FOR_192.168.120.X destination static IP_202.XXX.XXX.242 IP_202.XXX.XXX.242

This way the traffic that comes form 192.168.120.1 going through a VPN tunnel it will not matched this NAT statement, since this NAT statements states that it will be translated only when going to the 202.XXX.XXX.242 address, Now you may run a packet tracer and see how it goes,

Please rate and mask as correct this answer if it helped you, keep me posted!

Thanks,

David Castro,

View solution in original post

Marius Gunnerud · ‎03-02-2016

This is quite simple really. You just need a twice nat / identity nat statement for the VPN traffic and then let the everything else hit the dynamic NAT statement. perhaps something like the following.

object network LOCAL_LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE_LAN

subet 11.11.11.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

nat (inside,outside) after-auto source dynamic LOCAL_LAN interface

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Dean Romanelli · ‎03-03-2016

Hi Marius,

I like that idea, but I'm afraid I'd have to configure 120 of those twice NATs if we do it in this fashion because I ultimately have 120 sites VPNing back here. I had only mentioned 1 in the example for simplicity.

Hi David,

I think that will work. I do have 1 public IP available on my WAN subnet that I could one-to-one NAT 192.168.120.1 to. However, I would prefer to overload it instead so that 120.1 is less easy to find from the public internet. Is there a way I can do that without configuring 120 twice NAT's for 192.168.120.1 to not be NATed when it tries to SSH to any of my 120 VPN branch subnets?

David Castro F. · ‎03-03-2016

Hello Dean,

I am glad it works for you, on this case if you will use overload, I would recommend you to create some sort of policy PAT(Known as Policy NAT), so what it does is to translate many hosts to one address when going to a specific address, on this case the 202 address, with the available public address you have. So for example if you have 3 private subnets that should be NATed publicly when reaching specific destinations, you may then create object groups for this like this:

object-group network Private_IPs

network-object host 192.168.120.1

network-object 192.168.X.X 255.255.255.X

network-object host 192.168.X.X 255.255.255.X

object network TRANSLATED_IP_FOR_Private_IPs

host 99.99.99.99 -> An example(IP you have free for this)

Object-group network IP_202.XXX.XXX.242

host 202.XXX.XXX.242

Nat (inside,outside) source static Private_IPs TRANSLATED_IP_FOR_Private_IPs destination static IP_202.XXX.XXX.242 IP_202.XXX.XXX.242

You can modify the IP_202.XXX.XXX.242 object and instead use an object group with multiple destinations outside, Otherwise if you just do a PAT to the interface as the others, you will be forced to create 200 NAT exemption lines,

Please proceed to rate and mark as correct this post if it helped you! keep me posted!

Regard,

David Castro,

David Castro F. · ‎03-02-2016

Hello Dean,

I would recommend a Twice NAT basically that is the same terminology as a "Policy NAT", you can specify that your source Host will be translated to certain IP address only when it is addressed to certain destination or destinations, so basically you may create an object network with the IP address of the source, other network object with the Public IP which you want to use to translate the 192.168.x.x address and then the destination network object, so it will be like this:

object network IP_192.168.120.1

host 192.168.120.1

object network TRANSLATED_IP_FOR_192.168.120.X

host 99.99.99.99 -> An example

Object network IP_202.XXX.XXX.242

host 202.XXX.XXX.242

Nat (inside,outside) source static IP_192.168.120.1 TRANSLATED_IP_FOR_192.168.120.X destination static IP_202.XXX.XXX.242 IP_202.XXX.XXX.242

This way the traffic that comes form 192.168.120.1 going through a VPN tunnel it will not matched this NAT statement, since this NAT statements states that it will be translated only when going to the 202.XXX.XXX.242 address, Now you may run a packet tracer and see how it goes,

Please rate and mask as correct this answer if it helped you, keep me posted!

Thanks,

David Castro,

How to NAT an inside IP address so it only gets NATed when going to particular destination & is un-NATed otherwise