Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2663
Views
35
Helpful
5
Replies

NAT rule used in ASA VPN tunnels

Go to solution
Hawk
Level 1
Level 1

‎02-28-2019 08:53 AM

I need to establish a tunnel in an ASA running 9.6(4)3 and the traffic needs to be initiated from my peer to me.  To be more specific a host on the peer side needs to send print jobs to a printer in my environment.  All of the existing nat rules I see in my ASA for other existing tunnels look like traffic is only getting intiated from my side to the peer & it does not appear to show any examples of the peer initiating to my side.  I think when the peer initiates to my side the interfaces needs to be reversed as well as their source addresses need to be used first but Im not sure.  Here are 2 examples below.  The first example is an existing rule where I know for sure that we are initiating to the peer side.  The second example is what I think the rule should like if the peer needs to initiate to my side.  Can someone with experience who knows for sure verify how the rule should look if the peer is initiating to my side?  Thanks.

 

Example 1)  My side is initiating to the peer side.... this is a known good configuration

nat (inside,outside) source static obj-192.168.1.20 obj-10.222.58.20 destination static PEER-SIDE PEER-SIDE no-proxy-arp

 

Example 2)  Peer side needs to initiate to my side.... not sure if this is correct

nat (outside,inside) source static PEER-SIDE PEER-SIDE destination static obj-10.222.58.20 obj-192.168.1.20 no-proxy-arp

 

The differnces are that I reversed the interfaces & the address that the peer host is trying to connect to on my side.  Please advise.  Thanks!

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Hawk

‎02-28-2019 11:26 AM

The NAT rule is only to statically translate traffic through the Firewall. The rule will work if the traffic is initiated either from inside to outside or outside to inside wrt to the ASA. Dynamic translation rules are uni-directional. 

 

The ASA also bypasses inbound ACL checking on the outside interface for VPN traffic by default. So you have nothing to worry about that there as well. 

View solution in original post

5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-28-2019 09:02 AM

The NAT rule you have is bidirectional, you only need one of the statements for the NAT exemption to apply for inbound or outbound traffic. 

 

Do you know what device is on other side of the tunnel and what their NAT setup is? You might not be seeing inbound traffic if they have a device that blocks their outbound traffic to your side. 

 

Go to solution
Hawk
Level 1
Level 1
In response to Rahul Govindan

‎02-28-2019 10:45 AM

Rahul thanks for the feed back.  Just to clarify for myself, when you say that Example 1 is bi-directional do you mean when traffic is intiated in either direction or by both ways do you mean that after traffic is initiated from my side the response traffic from the peer is natted back in the same TCP session only.  The only reason I ask is because the peer side needs to start a TCP connection to my side also.

 

As for the peer device I am not sure what they use.  I have a technical meeting setup in a couple of days to establish a VPN tunnel with the peer side engineer.  Im trying to get as much pre configuration done as possible in advanced.

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Hawk

‎02-28-2019 11:26 AM

The NAT rule is only to statically translate traffic through the Firewall. The rule will work if the traffic is initiated either from inside to outside or outside to inside wrt to the ASA. Dynamic translation rules are uni-directional. 

 

The ASA also bypasses inbound ACL checking on the outside interface for VPN traffic by default. So you have nothing to worry about that there as well. 

Go to solution
Hawk
Level 1
Level 1
In response to Rahul Govindan

‎02-28-2019 12:51 PM

Rahul would this exact same configuration work for many to many NAT also?  My peer has a /22 prefix & on my side I have a /24 prefix.  If I want to NAT the traffic & to be able to initiate from either side would I still use static and only need to specify the source & destination prefixes in the NAT rule?  Example 1 only has a single host on my side that needs to initiate to a single host on the peer side.  What would need to change if I need to initiate from either side but both sides each have an entire subnet that needs to be translated?

Go to solution
Hawk
Level 1
Level 1
In response to Rahul Govindan

‎02-28-2019 10:48 AM

By bi-directional do you mean that both my side and the peer side can start a new TCP connection or after my side starts a TCP connection the response traffic automatically gets natted back?  I am not sure what device they are using.  I have a technical meeting set in a few days & Im rying to get as much pre configuration done in advanced as I can.  Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents