Solved: NAT Traversal

Qwr! · ‎05-24-2023

Host A will ping Host B's IP address via IPsec, but the actual responder is Host C. I just wanted to see if this kind of scenario is possible with Cisco ASAv. Host A is the client side, and Host B is a phantom IP on ASAv. However, Host C is the actual server. The intended communication is from Host A to C via IP B, as IP C is not allowed on Host A's network.

Sheraz.Salim · ‎05-24-2023

flip the other way around you mentioned "as IP C is not allowed on Host A's network" why dont you present the IP C as NAT to IP address where Host A can accept it.

For Exampe

Host-C-Real-IP 192.168.1.10

Host-C-Map-IP 10.10.10.10

nat (inside,outside) source static Host-C-Real-IP Host-C-Map-IP destination static REMOTE REMOTE
!
access-list SITE-2SITE-VPN extended permit ip object Host-C-Map-IP object REMOTE
!
crypto map CMAP 1 match address SITE-2SITE-VPN

-----------------------------------------OR------------------------------------

If you want to stick with your original question in that case. configure static NAT

object network HostB
 host 192.168.100.10
!
object network HostC
 host 172.16.10.10
!
nat (inside,dmz) source static HostB HostC

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎05-24-2023

flip the other way around you mentioned "as IP C is not allowed on Host A's network" why dont you present the IP C as NAT to IP address where Host A can accept it.

For Exampe

Host-C-Real-IP 192.168.1.10

Host-C-Map-IP 10.10.10.10

nat (inside,outside) source static Host-C-Real-IP Host-C-Map-IP destination static REMOTE REMOTE
!
access-list SITE-2SITE-VPN extended permit ip object Host-C-Map-IP object REMOTE
!
crypto map CMAP 1 match address SITE-2SITE-VPN

-----------------------------------------OR------------------------------------

If you want to stick with your original question in that case. configure static NAT

object network HostB
 host 192.168.100.10
!
object network HostC
 host 172.16.10.10
!
nat (inside,dmz) source static HostB HostC

please do not forget to rate.

Qwr! · ‎05-25-2023

Thank you for sharing insights, much appreciated!

MHM Cisco World · ‎05-24-2023

checking

Qwr! · ‎05-24-2023

Thank you, Normally, we practice such that internet users can access our private IP address server using a public address and mapping it to a private one. However, for this case, instead of using the internet IP, we are going to use an IPsec VPN. My understanding is that once the client successfully completes Phase 1 and Phase 2, they should be able to access IP address B, analogous to accessing a public IP. This should then provide connectivity to IP address C. The issue here is that we don't have control over the client side, so we cannot alter their routing domain. Currently, the only segment that can be routed is to IP address B.

IP A (Client) --> ASA-A --> IPsec VPN Tunnel --> ASA-B/IP B (Phantom IP) --> IP C (Server).

Sheraz.Salim · ‎05-25-2023

In IPSec tunnel in your case remote and IP-B will be able to communicate but Remote side can not access IP-C. unless otherwise if you configure a route-based vpn tunnel instead of policy based vpn.

I did ask earlier if you can present IP-C as the IP-address to remote side which they think can be used will solve your issue. but you completely ignore my post.

hence given the topology above what you trying to achieve is not possible.

please do not forget to rate.

MHM Cisco World · ‎05-25-2023

the MHM-3 build VPN with MHM-2, the MHM-3 NATing 20.0.0.0 to 220.0.0.0 and use ACL 220.0.0.0 to 30.0.0.0
and MHM-2 use ACL 30.0.0.0 220.0.0.0

it work there is not problem
just want to confirm that
thanks
MHM