Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
0
Helpful
3
Replies

NAT Configuration Request

Go to solution
pootboy69
Level 1
Level 1

‎09-15-2010 12:53 PM

The attached Visio document defines the details of my request.  The text reads:

The issue: Site A and Site B both use the unregistered 10.x.y.z networks. I need to set up a VPN tunnel between the two sites. We have agreed to use the 172.16.5.0/27 translated network at one end and the 172.16.6.0/27 network at the other end.

I am located at Site B. How do I configure my ASA5510 to accomplish this. I think I need to set up "source NAT" to translate all my required network(s) to the remote’s network(s) possibly using policy NAT. Is this correct? What are the NAT commands I need for the Site B to accomplish this. I have already configured the ipsec tunnel between our sites, using our respective peer addresses and encryption parameters. I have configured numerous VPN tunnels in the past, but always with networks other than our own 10.x.y.z scheme.

I'm running v8.2(2) on the ASA5510.  Specific commands would be most helpful as I am new to the ASA.  I don't need the commands to establish the tunnel itself, only the commands necessary to accomplish the NAT.  Thank you!

Labels:
72166-VPN.vsd.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to pootboy69

‎09-16-2010 10:38 AM

Hello,

Problem is not with the NAT configuration, but is with the way firewall handles the traffic. In both locations, you are using dynamic NAT. Dynamic NAT is used when there are multiple inside clients using a small subset of external IP addresses. Typically, in this scenario, the firewall dynamically allocates the outside IP (from the pool) and uses different TCP/UDP ports to map the inside request to an external IP. Since this allocation is dynamic, the external clients cannot initiate a session to any of the inside clients. They can only respond back to the original request by the inside clients. Now, in your scenario, since both ends are using dynamic mapping, the clients will not know the IP of the remote device (because remote firewall will dynamically allocate it based on the inside clients request). You will need a static mapping to allow communication between two sites.

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-15-2010 04:04 PM

Hello,

The configuration commands are as below:

Site A:

access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.5.0 255.255.255.224

global (outside) 101 172.16.6.0 255.255.255.224

nat (inside) 101 access-list Remote_VPN_NAT

Site B:

access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.6.0 255.255.255.224

global (outside) 101 172.16.5.0 255.255.255.224

nat (inside) 101 access-list Remote_VPN_NAT

While this will do the NAT translations, it would not enable communication between two sites. Since we are doing dynamic translations, the Site A will not know what IP a host on Site B will be using (as it will be dynamically allocated when the client originates the traffic from Site B). An easier option would be to identify all the subnets that are common in both sites and map them to a different subnet al-together.

Example:

If both Site A and Site B have 10.10.100.0/24 subnet, then

Site A:

access-list SiteA_Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

static (inside,outside) 172.17.100.0 access-list SiteA_Remote_VPN_NAT

Site B:

access-list SiteA_Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0  172.17.100.0 255.255.255.0

static (inside,outside) 172.16.100.0 access-list SiteA_Remote_VPN_NAT

In the above setup, the whole network is mapped to another equivalent subnet and hence both subnets can talk to each other.

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
pootboy69
Level 1
Level 1
In response to Nagaraja Thanthry

‎09-16-2010 09:14 AM

So, If I used:

Site A:

access-list Remote_VPN_NAT permit ip 10.10.20.0 255.255.255.0 172.16.5.0 255.255.255.224

access-list Remote_VPN_NAT permit ip 10.10.30.0 255.255.255.0 172.16.5.0 255.255.255.224

global (outside) 101 172.16.6.0 255.255.255.224

nat (inside) 101 access-list Remote_VPN_NAT

Site B:

access-list Remote_VPN_NAT permit ip 10.0.0.0 255.0.0.0 172.16.6.0 255.255.255.224

global (outside) 101 172.16.5.0 255.255.255.224

nat (inside) 101 access-list Remote_VPN_NAT

this should allow the B site access to the A side's 10.10.20.0/24 and 10.10.30.0/24 network?  Thank you for your assistance!

Regards,

Wolf

0 Helpful

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to pootboy69

‎09-16-2010 10:38 AM

Hello,

Problem is not with the NAT configuration, but is with the way firewall handles the traffic. In both locations, you are using dynamic NAT. Dynamic NAT is used when there are multiple inside clients using a small subset of external IP addresses. Typically, in this scenario, the firewall dynamically allocates the outside IP (from the pool) and uses different TCP/UDP ports to map the inside request to an external IP. Since this allocation is dynamic, the external clients cannot initiate a session to any of the inside clients. They can only respond back to the original request by the inside clients. Now, in your scenario, since both ends are using dynamic mapping, the clients will not know the IP of the remote device (because remote firewall will dynamically allocate it based on the inside clients request). You will need a static mapping to allow communication between two sites.

Hope this helps.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents