05-03-2017 04:06 AM
Hi All,
I have a query regarding NAT operations over a VPN. I've been referring to various guides but I'm still a little confused. As I understood it, an identity nat/nat0 rule is required to prevent the traffic being natted out of the external interface by the default overload NAT? Yet the page below does not mention this. Is this config assuming there is no NAT overload?
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-site2site.html
The bulk of this question though relates to what happens if I want to NAT an address before it's sent over the VPN. My current understanding is that I require a NAT, an identity NAT and interesting traffic ACL as follows (assuming only 1 host protected at each end, local 1.1.1.1 to be natted to 2.2.2.2, remote host 3.3.3.3):
----------------------------------------------
Local config:
nat (inside,outside) source static 1.1.1.1 2.2.2.2 destination static 3.3.3.3 3.3.3.3
nat (inside,outside) source static 2.2.2.2 2.2.2.2 destination static 3.3.3.3 3.3.3.3
access-list VPN_Interesting traffic extended permit ip host 2.2.2.2 host 3.3.3.3
----------------------------------------------
Remote Config:
nat (inside,outside) source static 3.3.3.3 3.3.3.3 destination static 2.2.2.2 2.2.2.2
access-list VPN_Interesting traffic extended permit ip host 3.3.3.3 host 2.2.2.2
----------------------------------------------
Is this correct or am I completely wrong here?!
Thanks in advance
Chris
Solved! Go to Solution.
05-03-2017 06:09 AM
05-03-2017 04:23 AM
Yes that example is assuming there is no nat.
You don't need the local identity NAT. Removed this from the local config:
nat (inside,outside) source static 2.2.2.2 2.2.2.2 destination static 3.3.3.3 3.3.3.3
05-03-2017 06:08 AM
Thanks Phillip, One final question, do I need another NAT on the local firewall to NAT inbound packets back to the correct address like this:
nat (outside,inside) source static 3.3.3.3 3.3.3.3 destination static 2.2.2.2 1.1.1.1
05-03-2017 06:09 AM
No.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide