Solved: Re: Policy NAT, Static NAT, and L2L VPN

pcaddict1 · ‎03-10-2011

Here is the scenario: I am to establish a L2L VPN. When trying to determine what hosts on my inside network will be accessing hosts on the remote network through the VPN, I can't seem to get a straight answer from those in charge.

My thought was to use a private network of 10.17.24.0/24 and NAT any hosts on my inside network to 10.17.24.x. As a side note, the hosts from my inside network could be on any subnet in the range of 172.12.x.0. I would then put 10.17.24.0/24 in my interesting traffic for my crypto ACL. Since the hosts on my inside network would need to browse the Internet AND communicate with hosts on the remote network through the VPN, I was going to try and accomplish this with Policy NAT. Is it possible to use Policy NAT in this case? Or do I have to use statics? I did start with statics but couldn't browse the Internet afterwards. I know I am missing something with the statics but can't figure it out. I am still fairly new to all of this stuff so please forgive my ignorance.

Federico Coto Fajardo · ‎03-10-2011

For example:

access-list NAT1 permit ip host 172.21.1.1 REMOTEL2L_SUBNET
access-list NAT2 permit ip host 172.21.2.5 REMOTEL2L_SUBNET
access-list NAT3 permit ip host 172.21.15.7 REMOTEL2L_SUBNET

static (in,out) 10.17.24.1 access-list NAT1
static (in,out) 10.17.24.2 access-list NAT2
static (in,out) 10.17.24.3 access-list NAT3

The above configuration will NAT 172.21.1.1 to 10.17.24.1 when going to the remote subnet (through the L2L).

The same behavior for the other hosts.

Important thing is that the ACL for crypto will be from the NATed address:

access-list VPN permit ip host 10.17.24.1 REMOTEL2L_SUBNET
access-list VPN permit ip host 172.17.24.2 REMOTEL2L_SUBNET
access-list VPN permit ip host 172.17.24.3 REMOTEL2L_SUBNET

Or just the entire subnet:

access-list VPN permit ip 172.17.24.0 255.255.255.0 REMOTEL2L_SUBNET

The important thing is that the interesting traffic matches on both ends!

Also, you can still provide Internet and local access as normally....

Internet access:

nat (inside) 1 172.21.0.0 255.255.0.0

global (outside) 1 interface

Hope it helps.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-10-2011

Hi,

Are you running ASA OS 8.2 or below?

If so... the NAT is as follows...

Policy NAT is to be able to specify NAT rule on other factors besides the source IP address.

For example you can NAT based on destination IP.

You can have different translations made based on where the traffic is going.

This is normally used to NAT traffic when going to Remote Site 1 but not NAT when going to Remote Site 2.

Static NAT is to have an always-established NAT rule (usually 1-to-1 NAT).

This is normally used to allow inbound access (make a server publicly accesible from the Internet).

For L2L VPNs you normally use NAT exemption which is a NAT rule that uses ACL to bypass NAT.

Since you don't regularly want to NAT the traffic when crossing a VPN, you use NAT 0 ACL.

Is this helping you, or you need something else?

Federico.

pcaddict1 · ‎03-10-2011

Thank you for the reply and explanation. It did clear things up a little. Typically I do use a NAT 0 ACL. It's just this particular L2L VPN that is giving me fits. I am running 8.2.

I think where I am getting messed up is that my hosts could be on any subnet but I only want to NAT them if they are going to hosts on this L2L VPN. For example, let's say I have three hosts on my inside network: 172.12.1.1, 172.12.2.5, and 172.12.15.7. When these hosts need to communicate with hosts on the L2L VPN, I want to NAT 172.12.1.1 to 10.17.24.1, 172.12.2.5 to 10.17.24.2, and 172.12.15.7 to 10.17.24.3. I don't want to NAT an entire subnet to 10.17.24.x. I just want to NAT certain hosts that traverse the tunnel and still allow those hosts to run freely through my internal network as well as browse the Internet like normal. I am just not sure how to accomplish it.

I found this link on Cisco's website: http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080b37d0b.shtml

I think it does what I want but it uses policy NAT for a whole subnet. Using this example would I just have my policy NAT ACL include only the inside hosts 172.12.1.1, 172.12.2.5, and 172.12.15.7? Then would I have my interesting traffic ACL be the whole 10.17.24.0/24 subnet? So it would look something like this:

access-list new extended permit ip 10.17.24.0 255.255.255.0 192.168.3.0 255.255.255.0 - interesting traffic ACL

access-list policy-nat extended permit ip host 172.12.1.1 192.168.3.0 255.255.255.0

access-list policy-nat extended permit ip host 172.12.2.5 192.168.3.0 255.255.255.0

access-list policy-nat extended permit ip host 172.12.15.7 192.168.3.0 255.255.255.0

static (inside,outside) 10.17.24.0 access-list policy-nat

Federico Coto Fajardo · ‎03-10-2011

For example:

access-list NAT1 permit ip host 172.21.1.1 REMOTEL2L_SUBNET
access-list NAT2 permit ip host 172.21.2.5 REMOTEL2L_SUBNET
access-list NAT3 permit ip host 172.21.15.7 REMOTEL2L_SUBNET

static (in,out) 10.17.24.1 access-list NAT1
static (in,out) 10.17.24.2 access-list NAT2
static (in,out) 10.17.24.3 access-list NAT3

The above configuration will NAT 172.21.1.1 to 10.17.24.1 when going to the remote subnet (through the L2L).

The same behavior for the other hosts.

Important thing is that the ACL for crypto will be from the NATed address:

access-list VPN permit ip host 10.17.24.1 REMOTEL2L_SUBNET
access-list VPN permit ip host 172.17.24.2 REMOTEL2L_SUBNET
access-list VPN permit ip host 172.17.24.3 REMOTEL2L_SUBNET

Or just the entire subnet:

access-list VPN permit ip 172.17.24.0 255.255.255.0 REMOTEL2L_SUBNET

The important thing is that the interesting traffic matches on both ends!

Also, you can still provide Internet and local access as normally....

Internet access:

nat (inside) 1 172.21.0.0 255.255.0.0

global (outside) 1 interface

Hope it helps.

Federico.

pcaddict1 · ‎03-11-2011

coto.fusionet wrote:

Also, you can still provide Internet and local access as normally....

Internet access:

nat (inside) 1 172.21.0.0 255.255.0.0

global (outside) 1 interface

I see what you are saying and thank you for the help. I marked it as correct because it will resolve my issue. I do have two additional questions. 1)Couldn't I do the same thing just using static NAT? I know you said that static NAT was typically used to allow access from outside to inside host. It just seems like a lot of individual policy-NAT statements when it seems like you could elimate the policy-NAT and just use static NAT. I am just trying to make sure I understand the why for your example so I can learn.

2) If I can use static NAT, do I have to use your example above? The reason I ask is that I have a nat (inside) 1 0.0.0.0 0.0.0.0 and a global (outside) 1 interface.

Federico Coto Fajardo · ‎03-11-2011

If you change the Policy NAT configuration for this:

access-list NAT permit ip 172.21.1.0 255.255.255.0 REMOTE_L2L_SUBNET
static (in,out) 10.17.24.0 access-list NAT

You will have a single line, but the translations are going to go in order one-by-one.
In other words, 172.21.1.1 will be NATed to 10.17.24.1 keeping always the same value on the last octect.

For internet access, you can change your configuration to:

nat (inside) 1 0 0
global (outside) 1 interface

The above indicates that ANY source coming from the inside interface will be PATed to the outside IP of the ASA.

Hope it helps.

Federico.