Re: NAT Public IP of 1 peer of VPN site-to-site

Myghty1 · ‎01-09-2023

Hello all

I am looking to NAT the public IP of a peer end to create a site-to-site VPN tunnel that will replace an existing VPN tunnel.

Basically, the current tunnel between Peer A and Peer B1 (200.x.x.1) is up and functioning. Peer A is unable to be configured as it is not under my jurisdiction for administration. So in order, to make a change to the tunnel that would be transparent to Peer A, we thought to create a Peer B2 (200.x.x.2) and NAT it's public IP to appear as B1 to Peer A.

Peer B2 is an ASA 5512. The tunnel configuration, encryption domain/interesting traffic, etc will all be the same.

I am looking to see if this advised or maybe if there is a better alternative that I haven't thought of for this scenario. If this is possible, what is the best way to set up the NAT rule in ASDM?

Being that B2 is the responder, I have previously tried to set up the NAT rule on Peer B2 with the Outside interface as the source and destination interface for the NAT. I configured the NAT translation on the source side as static and to be translated to B1.

I woke up and thought to reach out to the community but I will add some screenshots and a diagram once in office.

Thank you

MHM Cisco World · ‎01-09-2023

diagram will help us to suggest solution

Myghty1 · ‎01-09-2023

Finally had a chance to get back to this scenario and make a rudimentary overview diagram. Below is what I am recreating in my lab environment.

So from ASDM on Peer B2 (200.x.x.2) I have the NAT rule below. This rule allows me to ping NATd Peer B1 (200.x.x.1) from my lab Peer A and vice versa. So even if the rule allows me to ping successfully, is the rule correct or just working? I attempted to make the destination interface Outside but the ping was unsuccessful so I have left it to -Any- .

From Peer A, If I run a "show crypto isakmp sa" I get the below:

IKEv1 SAs:

Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 200.x.x.1
 Type  : user                                    L2L Role : initiator
 Rekey : no                                      State    : MM_WAIT_MSG2

There are no IKEv2 SAs

From Peer B2, "show crypto isakmp sa" results in:

There are no IKEv1 SAs

There are no IKEv2 SAs

Using the packet capture wizard on both PEER A and B2 I can see the packets leaving PEER A and arriving to PEER B2 for the NATd B1 address via port 500.

MHM Cisco World · ‎01-09-2023

why two S2S VPN, you need only one S2S VPN,

the Peer B2 will form S2S VPN with Peer B1 but use public IP of ASA as peer IP instead of Peer B1,
in ASA you need only allow traffic and config NAT.

Myghty1 · ‎01-10-2023

Correct, there will only be one S2S VPN. The tunnel connecting Peer B2 to Peer A will replace the existing tunnel between Peer B1 to Peer A. Peer B2 needs to replace B1 seamlessly to build the new tunnel to Peer A. I cannot configure nor access Peer A in production, only in my lab environment. That's why I am seeking guidance on the best way to NAT the outside interface of B2 to appear as B1 so a tunnel can be re-established to Peer A.

MHM Cisco World · ‎01-10-2023

I run lab the ASA-MHM2 is in middle between two ASA S2S Peer,
see how I config the ACL and NAT in ASA-MHM2 and bypass the IPsec S2S VPN tunnel between two Peers.