NAT and PAT over VPN on ASA

kjgorman · ‎08-16-2012

We have a need to exclude NAT (Identity NAT?) some hosts and PAT everything else to the outside interface address across a S2S VPN tunnel. How do you do that?

Karsten Iwen · ‎08-16-2012

Which ASA-version are you running? For v8.3+ there is a document on supportforums:

https://supportforums.cisco.com/docs/DOC-11639

And there are some examples for 8.2 and below:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_control.html#wp1082669

BTW: The right term is NAT-Exemption. On older versions there was a different function named "Identity NAT".

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

kjgorman · ‎08-16-2012

Karsten,

Thanks. I am using 8.3+ and already figured out the NAT Exemption part. I need that for some hosts, not entire networks as shown in the document. What it does not show is how to NAT Exempt some hosts, and PAT all the remaining traffic.

Kevin

Karsten Iwen · ‎08-16-2012

Thats exactly what the example does. The Exemption only works when an internal host tries to reach the remote VPN-address. Everything else is translated by your remaining NAT-rules. And don't forget that NAT-Exemption is basically a routing-function and not an access-control-function.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

kjgorman · ‎08-16-2012

Karsten,

How is this an example of PAT? This is from the document:

Topology:

192.168.1.x/24 inside(ASA1)outside ===VPN===outside(ASA2)inside 192.168.2.0/24

If you were configuring ASA1 nat exemption for this L2L tunnel, it would look like this:

object network obj-local

subnet 192.168.1.0 255.255.255.0

object network obj-remote

subnet 192.168.2.0 255.255.255.0

nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

This is the NAT-Exemption. When I add a PAT rule it sends the PAT'd traffic out the outside interface, not over the tunnel. I remain confused.

Kevin

Karsten Iwen · ‎08-16-2012

I thought your PAT was already running and you only have problems with the Exemption ...

Here is an example how I do it on my personal ASA:

object-group network RFC1918

network-object 10.0.0.0 255.0.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

!

nat (any,outside) source static any any destination static RFC1918 RFC1918 description NAT-Excempt for VPN

!

nat (any,outside) after-auto source dynamic any interface

I use this object-group because I know that all my VPN-destinations are in the RPC1918-range and they shouldn't bee natted.

The NAT-rules are processed from top to bottom. So when a packet comes from any interface and gets routed ou the outside interface, then it is compared against the two rules. in the first rule we have a source of any and a destination of RFC1918, that only can be VPN traffic. The NAT is exempted as the translated address is the same as the real address in the rule. If the traffic doesn't match then the next rule is compared where I only match on the source of any. That trafic is translated to the interface-IP of my ASA.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni