cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1258
Views
4
Helpful
6
Replies

no nat and pat statements

Yves-Buecking_2
Level 1
Level 1

Hi, I have the following question:

I have an asa 5520, and currently the box is pimarily setup for vpn remote access scenario. The IP adresses for the remote clients are lets say in the range 192.168.1.0/24 , assigned by Radius.

I currently have a no nat configuration, because I don?t need nat so far.

Now I would like to setup multiple vpn site to site connections on the same box, and I would like to hide each vpn tunnel "customer" behind a single IP, so in my understanding I would like to make PAT.

The "customerA" should hide behind 192.168.1.129/25, CustomerB behind 192.168.1.130/25 usw.

In my understanding I need a nat 0 statement for no nat?ing the remote vpn users, and a nat 1 entry for nat ?ing the vpn tunnel customer, and hide them.

Could anyone please give me some help and an example with this nat/pat issue.

Thank you very much.

6 Replies 6

Yves-Buecking_2
Level 1
Level 1

any little hint is welcome. !

Thanks

Jon Marshall
Hall of Fame
Hall of Fame

Hi

1) Do you want to hide all customer source IP addresses behind 1 IP address when traffic comes from the customer to you

OR

2) Do you want to present the customer network as 1 IP address to your internal clients.

Also is there any reason you have taken IP addresses in your example from the same range as your client VPN's ?

Jon

Hi Jon,

thanks for the answer.

I would like to to present each customer network behind one IP address for the internal clients.

Yes. Vpn clients should be in the first half of the /25 mask, site2 site beginninng with .129.

I have only one C class availible, so I thought it might make sense to split.

Hi

Okay, that might be a problem. if you wanted to translate all customer source IP addresses to one of your 192.168.1.x/25 addresses then this would be relatively easy.

But it sounds from your answer that you want to present the customer network to your VPN clients as one IP address. This assumes that the connection will be intiated FROM your VPN clients.

And this is the problem. Lets say for arguments sake that one of your customer networks is 172.16.5.0/24. Additionally, within that network your vpn clients want to intiate connections to 172.16.5.10,11,20 & 50.

Now you present the whole 172.16.5.0/24 network as 192.168.1.130. A vpn client wants to talk to 172.16.5.20 and so it sends a packet to 192.168.1.130. How does the firewall know which 172.16.5.x address the vpn client wants to talk to.

The answer is it doesn't. For each of the 172.16.5.x hosts within the customer network you would need to use a 192.168.1.x address to present it to your internal vpn clients.

Note that if the connections are always initiated from the customer network then you can hide all their IP addresses being one of your 192.168.1.x addresses.

Hope i have understood correctly.

Jon

Let me try again to describe my problem:

I have vpn clients that will be assigned an IP address from the pool 192.168.1.1-126, and they should be able to access my cooperate network without any nat translation. So I assume I need a nat0 statement.

Then I have site2site customers connected to my cooperate network, and I would like to hide each seperate customer behind a seperate ip address, from the pool 192.168.1.129-254.

I my understanding I need a pat statement, that means an additional nat 1 entry.

Now I get confused with this two nat entries nat0 and nat1 , and I could not figure out how to do this.

The vpn clients usually will not talk to the customer sit to site vpn.

I have the net A that should not be translated, and I have ip addresses from pool B, that should hide customer networks, so that the source ip gets behind a nated ip.

Thanks for your support so far Jon.

Hi

If you want to hide source IP address of customer networks.

Lets say customer network is 172.16.5.0/24 and it arrives on the outside interface. Customer IP addresses should be hidden behind 192.168.1.130.

nat (outside) 2 172.16.5.0 255.255.255.0 outside

global (inside) 2 192.168.1.130

This will change the source IP addresses of 172.16.5.x to appear to be from 192.168.1.130. This will only work if the traffic is initiated from the customer site.

I hope this makes sense

Jon