Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
3
Replies

nat overload over ipsec vpn for remote site to vendor communication

Go to solution
sanchezeldorado
Level 1
Level 1

‎03-31-2021 09:16 PM - edited ‎03-31-2021 09:18 PM

Hello! 

 

Odd question here. We have a vendor who will NOT change their VPN for any reason to allow both my main office and a remote site to access their resources. They will only allow my main office to connect and won't add any additional subnets. My main office subnet is nearly full as well. I have a cisco ASA at my main office and the remote site with an ipsec VPN and my main office has an ipsec VPN to the vendor as well. So what I want to do is to make all traffic from the remote site destined for the vendor (through the main office) to nat the source IPs to a single IP address on the main office subnet, then go out the VPN looking like it came from the main office. If there's a better way, please let me know. Here's the NAT statement I've done on the main office, but a packet tracer gets stuck at the VPN stage. It seems to nat properly, but I'm not sure why it can't continue through the VPN.

 

object network remote_to_vendor
host 10.243.20.100
object network remote_subnet
subnet 192.168.45.0 255.255.255.0

 nat (outside,outside) source static remote_subnet remote_to_vendor destination static vendor vendor

 

 

Any input is appreciated.

 

edit: I forgot to add that I want to overload the single IP address so that all of the remote network IPs appear as one IP with dynamic source ports to the vendor.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sanchezeldorado
Level 1
Level 1
In response to sanchezeldorado

‎03-31-2021 10:00 PM

Stand down! I was finally able to answer my own question. I actually had it right. I just needed to initiate traffic for the packet tracer to work. In the end, I used...

 

nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sanchezeldorado
Level 1
Level 1

‎03-31-2021 09:33 PM

I also just tried this one that seems to go a bit further in the packet tracer where remote_subnet is the whole remote subnet, and the remote_to_vendor group is a group of 5 addresses in the main office subnet.

 

nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor

 

Here's the packet tracer output:

admin(config)# packet-tracer inpu outside tcp 192.168.45.10 https 10.243.8.10 $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Additional Information:
NAT divert to egress interface outside
Untranslate 10.243.8.10/443 to 10.243.8.10/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit ip object-group remote object-group vendor
object-group network remote
network-object 192.168.45.0 255.255.255.0
object-group network vendor
network-object 10.243.8.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor
Additional Information:
Dynamic translate 192.168.45.10/443 to 10.243.20.100/443

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000561b6ac97a57 flow (tunnel-pending)/snp_sp_action_cb:1748

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1
In response to sanchezeldorado

‎03-31-2021 09:46 PM

One more update. If I do packet tracer detailed, I can see two things. First the natting taking place, which you can see in the previous example phase 3. Then on Phase 7 it looks to me like it's trying to use the original source for the VPN which would be wrong. I'm sure this is what I need to fix. 

 

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f217147c6a0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=12, user_data=0x0, cs_id=0x7f21712fb290, reverse, flags=0x0, protocol=0
src ip/id=192.168.45.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.243.8.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1
In response to sanchezeldorado

‎03-31-2021 10:00 PM

Stand down! I was finally able to answer my own question. I actually had it right. I just needed to initiate traffic for the packet tracer to work. In the end, I used...

 

nat (outside,outside) source dynamic remote_subnet pat-pool remote_to_vendor destination static vendor vendor

0 Helpful
Customers Also Viewed These Support Documents