06-25-2007 01:48 AM
Hi,
I have a query and was wondering if you could help us with a policy NAT issue we are having. I have come up with 2 solutions and both of them work to a certain degree but neither give 100% solution.
The background to what we want to achieve is as follows:
We have a site-site VPN between 2 companies terminating on the ASAs. Company A uses an internal LAN address of 172.20.0.x/24 and Company B runs on an internal LAN address of 10.50.1.x/24. We need Company A to present an address range of 192.168.1.x/24 when communicating accros the VPN with Company B. Obviously we want company A's PCs to still be able to access the Internet as normal etc. We can limit the number of PCs from company A to B also if needed.
I have come up with 2 solutions, one is using policy NAT for the VPN, and the other is using just Static NATs ( I will post the relevant config details below).
If I use Policy NAT, and NAT for example 3 of Company A's PCs to a NAT "Pool" of 3 addresses this works fine. However the only problem with this solution is that company B cannot easily communicate with the Company A PCs until a Company A PC makes a connection and forces a translation. At this point company B can ping the first of the translated addresses ok. So for example if Company A - PC 1 pings 10.50.1.50, the PC gets translated to 192.l68.1.200. Company B can now ping the address of 192.168.1.200 with no problems, however when more PCs are added to this situation it becomes very difficult to manage the return connections and know which PC is associated with which translated address. Also Company B cannot initialise a connection to Company A unless Company A has made an outbound Policy NAT translation.
But the PCs in Company A can surf the Internet etc as normal with no issues.
The Second solution uses 1 to 1 Static NAT Translations between Company A and Company B. This is a more elegant solution as you can always know what mappings are associated with each PC. Both Company A and Company B can initialize traffic to each other with this solution, however the downside to this is that the PCs of Company A that have static translations can no longer surf the Internet. (I know we can get around this by using a proxy server etc).
What we are wondering if there is some solution we are overlooking that will give us the best of both worlds i.e:
Company A being able to connect with Company B using the 1:1 type NATing.
Company B being able to communicate with Company A at any stage without translations needed first from Com A.
Company A's PCs still being able to access Internet etc without the use of Proxy Servers etc.
Please see configs below:
Solution 1
==========
object-group network NAT_GROUP
network-object 172.20.0.50 255.255.255.255
network-object 172.20.0.51 255.255.255.255
network-object 172.20.0.52 255.255.255.255
access-list NAT extended permit ip object-group NAT_GROUP 10.50.1.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.50.1.0 255.255.255.0
global (outside) 2 192.168.1.200-192.168.1.202 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 2 access-list NAT
nat (inside) 1 0.0.0.0 0.0.0.0
Solution 2
==========
static (inside,outside) 192.168.1.200 172.20.0.50
static (inside,outside) 192.168.1.201 172.20.0.51
static (inside,outside) 192.168.1.202 172.20.0.52
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.50.1.0 255.255.255.0
Thanks,
Ian.
06-25-2007 02:54 AM
Dear Ian,
My suggestion might not be relevant to your question in terms of using NAT. I wonder in this case whether a policy NAT is really needed. If you could consider a HW client remote access VPN, let's say, Company B acts as the headquarter and Company A as the affiliate, then you can use network extension mode to enable internal lan connection through VPN. But I'm uncertain whether there are restrictions in hardware versions....
Another solution might be outside NAT after VPN terminates in ASA. See whether this can get through.
Regards,
James Ren
06-25-2007 03:07 AM
Hi James,
Thanks for the reply.
Yes I suppose a HW client could help with the solution alright, we would just need to try keep the translations static. B needs to see a 192.168.1.x address due to the huge amount of routing already in place at B.
Outside NAT or NAT at Company B on the inbound may be possible too, but I guess I am just making sure that I havent overlooked anything on the ASA in Company A, or have we more or less reached the limits of what can be done from a NAT point of view on this ASA?
Thanks again,
Rgds,
Ian.
06-25-2007 12:30 PM
Hi Ian,
I am also interested in this functionality.
Based on the Solutions you listed, let's take the first one and modify it a bit
Solution 1
==========
object-group network MY_OFFICE
network-object 172.20.0.0 255.255.255.0
object-group network REMOTE_OFFICE
network-object 10.50.1.0 255.255.255.0
access-list NAT extended permit ip object-group MY_OFFICE object-group REMOTE_OFFICE
access-list Ineternet_access extended deny ip object-group MY_OFFICE object-group REMOTE_OFFICE
access-list Ineternet_access extended permit ip object-group MY_OFFICE any
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 object-group REMOTE_OFFICE
global (outside) 2 192.168.1.1-192.168.1.254 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 2 access-list NAT
nat (inside) 1 access-list Internet_access
06-25-2007 06:28 PM
I agree with ipsoft to exculde the VPN traffic from the internet traffic but I think so far we are still unable to meet task 2. But that B accesses A without NAT in A seems beyond the logic of NAT?
JR
06-26-2007 03:57 AM
I mean security appliance has to find a translation slot to transmit the packet.
06-26-2007 06:15 AM
James,
The Static NAT solution gets around this problem, I was just wondering if there is a solution that can still provide internet access to these PCs then going to the Internet.
Policy NAT was meant to address all these strange NAT requirements.
Rgds,
Ian.
06-26-2007 06:12 AM
Hi Guys thanks for your replies.
Yes this seemed like the perfect type of solution, sorry I didnt include the fact that I tried a similar solution and was sad to see that Policy NAT will NOT work with a "Deny" statement in the Access-List. Once we issue the access-list statement within the NAT command it initializes Policy NAT.
ipsoft, if we could use the above solution with the deny statement, this would still cut off the remote end from being able to communicate with the local end due to the dynamic translations going on. Its just very interesting to see if this solution can be achieved or not??
It seems bizare that this functionality cannot be used on a modern ASA??
Thanks,
Best Regards,
Ian.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide