Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
5
Helpful
3
Replies

S2S VPN / NAT

mattipler
Level 1
Level 1

‎10-04-2018 07:48 AM

Good afternoon guys,

 

I'm relatively new to working with VPN and I've a question regarding S2S VPN and NAT. 

 

I've two ASAs (9.8) and a S2S VPN connecting them both. Behind each ASA (upon the inside) I have networks that I want to SNAT when communicating with the other inside network across the S2S VPN.

 VPN and AnyConnect

Looks a little like this... 

 

192.168.1.0/24 (SNAT > 10.10.10.0/24) <-> ASA 1 <-> S2SVPN <-> ASA 2 <-> 192.168.5.0/24 (SNAT 10.10.20.0/24)

 

I've stood up my S2S VPN and I've got SNAT functioning in one direction, from 192.168.1.0/24192.168.5.0/24. When I ping from 192.168.1.0/24 to 192.168.5.0/24 I receive a response and I can see through wireshark that the translation is functioning and translating to 10.10.10.0/24! Great! 

 

I also want to configure the reverse (have 192.168.5.0/24 communications to 192.168.1.0/24 also SNAT) but each attempt I've made to configure this seems to break the configuration I have in place for the functioning SNAT. 

 

This is only a lab environment so I'm not fussed about posting my configuration and in terms of the ACL configuration it's pretty much open / not restricted.

 

The configuration I have in place at the moment is...

 

Upon ASA1

 

Translation

TRAN.jpg

ASA 1 S2S VPN 

 

S2S VPN.jpg

 

ASA 2 S2S VPN (no translation configured)

 

VPN2.jpg

 

As mentioned, the SNAT is working fine in the one direction. I'm just unsure as to how to approach the configuration to make it function in the other direction as well. I've spent a few hours having a shot of it but I've basically been guessing and nothing has worked. 

 

Any assistance appreciated.

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎10-04-2018 11:08 AM

Hi,

Please could you provide the full running configuration?

Can you provide the output of "show nat" and "show xlate"

 

thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎10-04-2018 09:00 PM

Hi
What do you mean the return packet has to be translated.
If you want to do the same thing on asa2 like asa1, you need to configure the nat as well. Can you provide please your config from asa2?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mattipler
Level 1
Level 1
In response to Francesco Molino

‎10-05-2018 02:31 AM

Apologies guys. The solution to this turned out to be reasonably straight-forward and logical. 

 

As pointed out by Francesco, I needed to create xlate configuration upon ASA2 similar to that of ASA1 but for the ASA2 networks / SNAT configuration.

 

I then needed to update the S2S VPN encryption domains upon both ASAs to include local / local translated network objects and remote local / remote translated objects.   

 

Once I'd done this, I could ping in both directions and could verify that the communications were being correctly translated through wireshark. 

 

I hope that makes sense. If anyone would like me to further elaborate upon this I'm happy to!

 

Thanks for your help and apologies for asking stupid questions. 

 

Cheers. 

0 Helpful
Customers Also Viewed These Support Documents