10-04-2018 07:48 AM
Good afternoon guys,
I'm relatively new to working with VPN and I've a question regarding S2S VPN and NAT.
I've two ASAs (9.8) and a S2S VPN connecting them both. Behind each ASA (upon the inside) I have networks that I want to SNAT when communicating with the other inside network across the S2S VPN.
VPN and AnyConnect
Looks a little like this...
192.168.1.0/24 (SNAT > 10.10.10.0/24) <-> ASA 1 <-> S2SVPN <-> ASA 2 <-> 192.168.5.0/24 (SNAT 10.10.20.0/24)
I've stood up my S2S VPN and I've got SNAT functioning in one direction, from 192.168.1.0/24 > 192.168.5.0/24. When I ping from 192.168.1.0/24 to 192.168.5.0/24 I receive a response and I can see through wireshark that the translation is functioning and translating to 10.10.10.0/24! Great!
I also want to configure the reverse (have 192.168.5.0/24 communications to 192.168.1.0/24 also SNAT) but each attempt I've made to configure this seems to break the configuration I have in place for the functioning SNAT.
This is only a lab environment so I'm not fussed about posting my configuration and in terms of the ACL configuration it's pretty much open / not restricted.
The configuration I have in place at the moment is...
Upon ASA1
Translation
ASA 1 S2S VPN
ASA 2 S2S VPN (no translation configured)
As mentioned, the SNAT is working fine in the one direction. I'm just unsure as to how to approach the configuration to make it function in the other direction as well. I've spent a few hours having a shot of it but I've basically been guessing and nothing has worked.
Any assistance appreciated.
10-04-2018 11:08 AM
Hi,
Please could you provide the full running configuration?
Can you provide the output of "show nat" and "show xlate"
thanks
10-04-2018 09:00 PM
10-05-2018 02:31 AM
Apologies guys. The solution to this turned out to be reasonably straight-forward and logical.
As pointed out by Francesco, I needed to create xlate configuration upon ASA2 similar to that of ASA1 but for the ASA2 networks / SNAT configuration.
I then needed to update the S2S VPN encryption domains upon both ASAs to include local / local translated network objects and remote local / remote translated objects.
Once I'd done this, I could ping in both directions and could verify that the communications were being correctly translated through wireshark.
I hope that makes sense. If anyone would like me to further elaborate upon this I'm happy to!
Thanks for your help and apologies for asking stupid questions.
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide