03-31-2021 09:16 PM - edited 03-31-2021 09:18 PM
Hello!
Odd question here. We have a vendor who will NOT change their VPN for any reason to allow both my main office and a remote site to access their resources. They will only allow my main office to connect and won't add any additional subnets. My main office subnet is nearly full as well. I have a cisco ASA at my main office and the remote site with an ipsec VPN and my main office has an ipsec VPN to the vendor as well. So what I want to do is to make all traffic from the remote site destined for the vendor (through the main office) to nat the source IPs to a single IP address on the main office subnet, then go out the VPN looking like it came from the main office. If there's a better way, please let me know. Here's the NAT statement I've done on the main office, but a packet tracer gets stuck at the VPN stage. It seems to nat properly, but I'm not sure why it can't continue through the VPN.
object network remote_to_vendor
host 10.243.20.100
object network remote_subnet
subnet 192.168.45.0 255.255.255.0
nat (outside,outside) source static remote_subnet remote_to_vendor destination static vendor vendor
Any input is appreciated.
edit: I forgot to add that I want to overload the single IP address so that all of the remote network IPs appear as one IP with dynamic source ports to the vendor.
Solved! Go to Solution.
03-31-2021 10:00 PM
Stand down! I was finally able to answer my own question. I actually had it right. I just needed to initiate traffic for the packet tracer to work. In the end, I used...
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
03-31-2021 09:33 PM
I also just tried this one that seems to go a bit further in the packet tracer where remote_subnet is the whole remote subnet, and the remote_to_vendor group is a group of 5 addresses in the main office subnet.
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Here's the packet tracer output:
admin(config)# packet-tracer inpu outside tcp 192.168.45.10 https 10.243.8.10 $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Additional Information:
NAT divert to egress interface outside
Untranslate 10.243.8.10/443 to 10.243.8.10/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit ip object-group remote object-group vendor
object-group network remote
network-object 192.168.45.0 255.255.255.0
object-group network vendor
network-object 10.243.8.0 255.255.255.0
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Additional Information:
Dynamic translate 192.168.45.10/443 to 10.243.20.100/443
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561b6ac97a57 flow (tunnel-pending)/snp_sp_action_cb:1748
03-31-2021 09:46 PM
One more update. If I do packet tracer detailed, I can see two things. First the natting taking place, which you can see in the previous example phase 3. Then on Phase 7 it looks to me like it's trying to use the original source for the VPN which would be wrong. I'm sure this is what I need to fix.
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f217147c6a0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=12, user_data=0x0, cs_id=0x7f21712fb290, reverse, flags=0x0, protocol=0
src ip/id=192.168.45.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.243.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
03-31-2021 10:00 PM
Stand down! I was finally able to answer my own question. I actually had it right. I just needed to initiate traffic for the packet tracer to work. In the end, I used...
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide