Solved: NAT over VPN Tunnel... depending on destination

m.s.rees1 · ‎07-19-2023

Just wondering if anyone could help out with this...

We currently have multiple VPNs in use on an ASA and are looking to add a new one. We would like the new one to NAT whilst it goes over the new tunnel (none of the others do). Is there a way of mapping all source addresses (not just specific addresses or subnets) to a single NAT address, on this tunnel only, without affecting the other tunnels?

So something like.... "If client is going to destination X on the new tunnel, then NAT with specified address, if going anywhere else, do not use NAT.

For example:
Tunnel 1: Source 192.168.1.1 (No NAT) -------------------VPN TUNNEL --------- 192.168.2.1
Tunnel 2: Source 172.22.22.1 (No NAT) -------------------VPN TUNNEL---------- 172.22.23.1
New Tunnel: Source Any Address (NAT with 10.10.10.1)-----VPN TUNNEL-----------Tunnel servers 10.10.10.0/24

Apologies if I haven't explained it clearly.

Thanks.

MHM Cisco World · ‎07-19-2023

nat (inside,outside) source static MHM-ANY MHM-NAT destination static Tunnel-Subnet Tunnel-Subnet <<- this one correct

It effect other vpn? No it have no effect since you make NAT condition with destiantion

View solution in original post

MHM Cisco World · ‎07-19-2023

that NOT work as I know, VPN is L3 so you need different subnet in each side

m.s.rees1 · ‎07-19-2023

Well for example, we have a subnet of 10.10.10.0/24 and the tunnel devices are going to be on the same subnet on the other side. So I was going to set up a NAT of say 10.10.10.1, which would be able to access the tunnel devices. I need to make it that any IP that tries to get to 10.10.10.0/24 (over the tunnel), translates to 10.10.10.1 before going over... that's where I am stuck. I don't want it to affect any of the other tunnels and only translate when accessing the 10.10.10.0/24 range (over the tunnel) and not in any other scenario.

MHM Cisco World · ‎07-19-2023

As I mention befor s2s is l3 so sunbet must different or using NAT for overlapping which you do opposite here.

I share config you can try.

Note:- 10.10.100.0 is only NATing subnet it no need to connect to any ASA interface.

Flavio Miranda · ‎07-19-2023

Hi @m.s.rees1

If you can work with the remote site admin, you can use the example on the link below.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/211275-Configuration-Example-of-ASA-VPN-with-Ov.html

m.s.rees1 · ‎07-19-2023

Thanks, I came across that document I think, but they are saying to use specific local addressing as part of the NAT and I need to allow 'any' client and not any specific IP or subnet. As we have various sites and a lot of home workers, we wouldn't be able to use a specific addressing in this case.

MHM Cisco World · ‎07-19-2023

New Tunnel: Source Any Address (NAT with 10.10.100.1)-----VPN TUNNEL-----------Tunnel servers 10.10.10.0/24

Object network MHM

Network 0.0.0.0

Then add you NAT

In other side you need staitc route for 10.10.100.0 toward s2s2 vpn peer IP

m.s.rees1 · ‎07-19-2023

Ok thanks for your reply, so if I was to use your config and do something like this:

Object group MHM-ANY
0.0.0.0

Object-group MHM-NAT
10.10.100.1

object-group Tunnel-Subnet
10.10.10.0/24

The nat would look something like this:

nat (inside,outside) source static MHM-ANY MHM-NAT

or

nat (inside,outside) source static MHM-ANY MHM-NAT destination static Tunnel-Subnet Tunnel-Subnet

Is this right?

If so, will this affect any other Tunnels that are on the ASA currently (there is no other NAT config on the ASA)

MHM Cisco World · ‎07-19-2023

nat (inside,outside) source static MHM-ANY MHM-NAT destination static Tunnel-Subnet Tunnel-Subnet <<- this one correct

It effect other vpn? No it have no effect since you make NAT condition with destiantion

m.s.rees1 · ‎07-19-2023

Pefect, that's what I needed to know! - thanks so much.