Policy NAT over VPN for bi-directional traffic

licenses · ‎10-30-2012

Here is my scenario:

Site A

Cisco 5505 8.3

Internal subnet 1.1.1.x/24

Main hub

Site B

Cisco 5505 8.2

Internal subnet 2.2.2.x/24

Remote office

Site C

Cisco 5505 8.0

Internal subnet 2.2.2.x/24

Remote office

I have a L2L tunnel between Site A and Site B that encompasses the entire subnets. I need to build a tunnel between Site A and Site C. I would prefer to encompass the entire subnet in the tunnel, but there are 5 servers on each side that HAVE to communicate. I can narrow that tunnel down to those servers if need be. Site B and Site C will never pass traffic between them.

I would like to NAT the traffic from Site C before it hits the tunnel. I have seen the documentation and that seems doable. Here is my problem. I read that in this scenario that traffic MUST initiate from Site C in order to work. This causes me great pain as most of the time the traffic will initiate from Site A.

I have full admin access to all three ASAs. I would like to do all of the NATing in this scenario on Site C if at all possible.

Thanks in advance,

Jennifer Halim · ‎10-30-2012

Perfect, if you want to do the NATing on site C, then it's easy.

Here you go:

On site C:

access-list nat-to-A permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

static (inside,outside) 3.3.3.0 access-list nat-to-A

crypto ACL:

access-list cryptoACL permit ip 3.3.3.0 255.255.255.0 1.1.1.0.255.255.255.0

On site A:

crypto ACL:

access-list cryptoACL permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

NAT exemption: as usual

Traffic can be initiated from site A or site C.

licenses · ‎10-31-2012

I'm not even building a tunnel with that config. See snips below:

Site C:

Policy NAT part

access-list PNAT4TULSA extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0

where 10.1.0.0/24 is my internal subnet and 10.217.87.0/24 is my remote subnet

static (inside,outside) 10.221.17.0 access-list PNAT4TULSA

where 10.221.17.0/24 what I want to NAT to

Crypto map part

access-list VPN2TULSA extended permit ip 10.221.17.0 255.255.255.0 10.217.87.0 255.255.255.0

where 10.221.17.0/24 is the subnet I want to NAT to

crypto map outside_map 1 match address VPN2TULSA

crypto map outside_map 1 set peer xxx.xxx.xxx.xxx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

NAT0 part

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0

Site A: This one is 8.3 remember

object network FNB

subnet 10.221.17.0 255.255.255.0

object network TULSA

subnet 10.217.87.0 255.255.255.0

nat (inside,outside) source static TULSA TULSA destination static FNB FNB

access-list VPN2FNB extended permit ip 10.217.87.0 255.255.255.0 10.221.17.0 255.255.255.0

crypto map outside_map 8 match address VPN2FNB

crypto map outside_map 8 set peer xxx.xxx.xxx.xxx

crypto map outside_map 8 set ikev1 transform-set ESP-3DES-SHA

Both Sites have matching IKE policies and I have verified the PSK for both tunnel-group entries. I'm sure that there is one little thing that I am missing, I just need a nudge in the right direction.

Jennifer Halim · ‎10-31-2012

When you have static policy NAT configured, the NAT 0 access-list needs to be removed as NAT 0 with access-list takes precedence over the static NAT, hence it is not even building the tunnel.

So at site C, pls remove the following:

NAT0 part

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.255.0 10.217.87.0 255.255.255.0