Re: NAT destination over a S2S tunnel

Conrad Laus · ‎08-20-2019

vpHello,

I've been asked to configure the following set-up :

The traffic comming to 1.1.1.1/32 needs to be NATed and forwarded to 10.133.8.28, across a site to site VPN.

I'm using an ASA firewall (left side) and a Palo Alto firewall (right side).

For now, i've configured the site to site tunnel and it's UP.

I've configured a NAT on the ASA side :

nat (outside,outside) source static any any destination static 1.1.1.1 10.133.8.18

ACLs allowing traffic are OK.

But I'm missing something. I don't see traffic coming on the Palo Alto firewall.

Also, i'm really not sure about how to handle routing in this situation.

Could you please advice on this set-up ?

Regards,

Rahul Govindan · ‎08-20-2019

So 1.1.1.1 is the IP address of the WAN interface of the ASA, while 2.2.2.2 is the outside? This is not clear from your diagram and description.

If the above is the case, you would need the following statement:

nat (WAN,outside) source static any <nat-ip> destination static 10.133.8.18 10.133.8.18

where "nat-ip" is the subnet/ip that you need the source to be translated to. The nat-ip would also have to be part of the encryption domains on both the ASA and Palo Alto firewalls.

Conrad Laus · ‎08-20-2019

Yes sorry did not take much time to make it.

Actually, 2.2.2.2/32 is the main wan interface, used for the site to site VPN with the Palo Alto.

1.1.1.1/32 is a public address where customers come in. And incoming traffic on this IP have to be NATed to the private on (10.133.8.18), which is on the other side of the tunnel.