09-15-2010 12:53 PM
The attached Visio document defines the details of my request. The text reads:
The issue: Site A and Site B both use the unregistered 10.x.y.z networks. I need to set up a VPN tunnel between the two sites. We have agreed to use the 172.16.5.0/27 translated network at one end and the 172.16.6.0/27 network at the other end.
I am located at Site B. How do I configure my ASA5510 to accomplish this. I think I need to set up "source NAT" to translate all my required network(s) to the remote’s network(s) possibly using policy NAT. Is this correct? What are the NAT commands I need for the Site B to accomplish this. I have already configured the ipsec tunnel between our sites, using our respective peer addresses and encryption parameters. I have configured numerous VPN tunnels in the past, but always with networks other than our own 10.x.y.z scheme.
I'm running v8.2(2) on the ASA5510. Specific commands would be most helpful as I am new to the ASA. I don't need the commands to establish the tunnel itself, only the commands necessary to accomplish the NAT. Thank you!
Solved! Go to Solution.
09-16-2010 10:38 AM
Hello,
Problem is not with the NAT configuration, but is with the way firewall handles the traffic. In both locations, you are using dynamic NAT. Dynamic NAT is used when there are multiple inside clients using a small subset of external IP addresses. Typically, in this scenario, the firewall dynamically allocates the outside IP (from the pool) and uses different TCP/UDP ports to map the inside request to an external IP. Since this allocation is dynamic, the external clients cannot initiate a session to any of the inside clients. They can only respond back to the original request by the inside clients. Now, in your scenario, since both ends are using dynamic mapping, the clients will not know the IP of the remote device (because remote firewall will dynamically allocate it based on the inside clients request). You will need a static mapping to allow communication between two sites.
Hope this helps.
Regards,
NT
09-15-2010 04:04 PM
Hello,
The configuration commands are as below:
Site A:
access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.5.0 255.255.255.224
global (outside) 101 172.16.6.0 255.255.255.224
nat (inside) 101 access-list Remote_VPN_NAT
Site B:
access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.6.0 255.255.255.224
global (outside) 101 172.16.5.0 255.255.255.224
nat (inside) 101 access-list Remote_VPN_NAT
While this will do the NAT translations, it would not enable communication between two sites. Since we are doing dynamic translations, the Site A will not know what IP a host on Site B will be using (as it will be dynamically allocated when the client originates the traffic from Site B). An easier option would be to identify all the subnets that are common in both sites and map them to a different subnet al-together.
Example:
If both Site A and Site B have 10.10.100.0/24 subnet, then
Site A:
access-list SiteA_Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0
static (inside,outside) 172.17.100.0 access-list SiteA_Remote_VPN_NAT
Site B:
access-list SiteA_Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.17.100.0 255.255.255.0
static (inside,outside) 172.16.100.0 access-list SiteA_Remote_VPN_NAT
In the above setup, the whole network is mapped to another equivalent subnet and hence both subnets can talk to each other.
Hope this helps.
Regards,
NT
09-16-2010 09:14 AM
So, If I used:
Site A:
access-list Remote_VPN_NAT permit ip 10.10.20.0 255.255.255.0 172.16.5.0 255.255.255.224
access-list Remote_VPN_NAT permit ip 10.10.30.0 255.255.255.0 172.16.5.0 255.255.255.224
global (outside) 101 172.16.6.0 255.255.255.224
nat (inside) 101 access-list Remote_VPN_NAT
Site B:
access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.6.0 255.255.255.224
global (outside) 101 172.16.5.0 255.255.255.224
nat (inside) 101 access-list Remote_VPN_NAT
this should allow the B site access to the A side's 10.10.20.0/24 and 10.10.30.0/24 network? Thank you for your assistance!
Regards,
Wolf
09-16-2010 10:38 AM
Hello,
Problem is not with the NAT configuration, but is with the way firewall handles the traffic. In both locations, you are using dynamic NAT. Dynamic NAT is used when there are multiple inside clients using a small subset of external IP addresses. Typically, in this scenario, the firewall dynamically allocates the outside IP (from the pool) and uses different TCP/UDP ports to map the inside request to an external IP. Since this allocation is dynamic, the external clients cannot initiate a session to any of the inside clients. They can only respond back to the original request by the inside clients. Now, in your scenario, since both ends are using dynamic mapping, the clients will not know the IP of the remote device (because remote firewall will dynamically allocate it based on the inside clients request). You will need a static mapping to allow communication between two sites.
Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide