Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
4
Replies

Inside Source NAT of Remote Host and Site to Site VPN

Go to solution
adil.nasser3
Level 1
Level 1

‎02-28-2013 08:12 PM

Hello All,

I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall.  The traffic flow will be Partner A company users will be accessing my company's Citrix server.  I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server.  The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 65.99.100.101.  So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements.

I am most concerned about the correctness of the configuration of the encryption domain because NAT is involved in this set up.  My goal is to NAT the other company's (Company A) ip address to an ip address which is routable in my company's network.

The key question here is do I include the real source ip address (65.99.100.101) of Company A's user or the natted ip address (10.200.11.9) in the encryption domain.

In other words should the encryption domain look like this

OPTION A

permit ip host 10.200.11.103 host 65.99.100.101

        OR

OPTION B

permit ip host 10.200.11.103 host 10.200.11.9

I'm inclined to think it should look like OPTION A.  Below is the complete MY COMPANY side of the VPN config.  I also attached a sample diagram depicting this topology. 

Thanks in advance,

Adil

CONFIG BELOW

------------------------------------------------

#################################################

Object-Group Config:

#################################################

object-group network COMPANY_A_NETWORK

description Company A Network Accesses My Company Citrix Farm

network-object host 65.99.100.101

object-group network MYCOMPANY_CITRIX_FARM

description Takata Citrix Farm accessed by Genpact

network-object host 10.200.11.103

################################################

Encryption Config:

################################################

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

********************************

CRYPTO MAP

********************************

crypto map Outside_map 561 match address Outside_561_cryptomap

crypto map Outside_map 561 set peer 55.5.245.21

crypto map Outside_map 561 set transform-set ESP-3DES-SHA

********************************

TUNNEL GROUP

********************************

tunnel-group 55.5.245.21 type ipsec-l2l

tunnel-group 55.5.245.21 ipsec-attributes

pre-shared-key *55.5.245.21

*******************************

CRYPTO DOMAIN

*******************************

access-list Outside_561_cryptomap extended permit ip object-group MYCOMPANY_CITRIX_FARM object-group COMPANY_A_NETWORK

###########################################

NAT'ing

###########################################

global (inside) 9 10.200.11.9

nat (outside) 9 access-list genpact_source_nat outside

access-list genpact_source_nat extended permit ip host 65.99.100.101 any

access-list genpact_source_nat extended permit ip host 65.99.100.102 any

!For not natting Citrix Server ip address

access-list Inside_nat0 extended permit ip object-group MYCOMPANY_CITRIX_FARM object-group COMPANY_A_NETWORK

Labels:
Preview file
162 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎02-28-2013 10:10 PM

You have to include pre-nat ip 65.99.x.x in your crypto-map, just like you did.

To me, config you provided here looks fine and will meet your requirements.

One thing, i don't see here the actual nat 0 rule, but there's the acl for that nat. Probably you've just ommitted that rule.

65.99.100.101#sthash.mQm0FIOM.dpuf

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Andrew Phirsov
Level 7
Level 7

‎02-28-2013 10:10 PM

You have to include pre-nat ip 65.99.x.x in your crypto-map, just like you did.

To me, config you provided here looks fine and will meet your requirements.

One thing, i don't see here the actual nat 0 rule, but there's the acl for that nat. Probably you've just ommitted that rule.

65.99.100.101#sthash.mQm0FIOM.dpuf

0 Helpful

Go to solution
adil.nasser3
Level 1
Level 1
In response to Andrew Phirsov

‎03-01-2013 06:00 AM

Thank you Andrew for your feedback.  I have a call to turn up the vpn tunnel this morning and now I feel more confident going into this call that the config should work.

And yes, the nat0 rule is in the PIX, I just forgot to include it.  Here it is...

nat (Inside) 0 access-list Inside_nat0

Thanks again for your feedback.  Much appreciated.  ;-)

Adil

0 Helpful

Go to solution
adil.nasser3
Level 1
Level 1
In response to adil.nasser3

‎03-01-2013 08:38 AM

Hi Andrew,

Just to update you.  The vpn tunnel was successfully turned up using the configuration in this post.  Thanks again for your help!

Adil

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to adil.nasser3

‎03-01-2013 11:15 PM

Glad for you)

0 Helpful
Customers Also Viewed These Support Documents