Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
5
Helpful
5
Replies

Site-to-Site/ B2B VPN tunnels

Go to solution
cindy.palmer
Level 1
Level 1

‎08-02-2021 07:40 AM

Got a bit of a conundrum

 

Running a Cisco 5525-X ASA.  This is the firewall as well as the endpoint of the B2B VPN tunnels

Lately have several B2B VPN tunnels where AWS is the other endpoint.

 

Creating ACLs:

AWS uses CIDR ranges where the minimum is a /24.  I've been told they don't NAT.  The latest request is a cluster of four subnets (/24).  Over 1,000 possible connections to a single production database is NOT a good thing.

 

Anybody have an idea about how to configure this down to a one IP to one IP access rule?  Or, is this even possible?  Other suggestions?

 

THANKS!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to cindy.palmer

‎08-02-2021 02:27 PM

@cindy.palmer 

Yes you can use an object group or you could just create multiple nat rules, up to you.

You will need to use the real IP address of the database server.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-02-2021 07:50 AM

@cindy.palmer 

I assume the database server is located in AWS? There is no reason why you cannot NAT on the ASA5525 you control, either behind 1 IP address or a pool of IP addresses. All traffic sent over the VPN tunnel to AWS would be sourced from this NAT ip address.

0 Helpful

Go to solution
cindy.palmer
Level 1
Level 1
In response to Rob Ingram

‎08-02-2021 08:38 AM

Thank you but apparently I didn't make myself entirely clear.

 

The database server is behind the ASA and yes it is NAT'd.  BUT the sources coming into that database are in AWS.  Four full /24 subnets.  That's what I'm trying to figure out, if it is possible to narrow that scope.

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to cindy.palmer

‎08-02-2021 09:42 AM

Ok fine, you can still NAT after the traffic has been decrypted inbound. Example:-

 

object network SVR
 host 192.168.250.1
object network AWS-REAL
 subnet 10.10.0.0 255.255.0.0
object network AWS-NAT
 host 192.168.251.1
!
nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static SVR SVR

Any traffic routed over the VPN from the AWS-REAL network will be translated to the object AWS-NAT. The SVR will see traffic only from that AWS-NAT IP address, not an IP address in AWS-REAL networks.

0 Helpful

Go to solution
cindy.palmer
Level 1
Level 1

‎08-02-2021 02:20 PM

Elegant. . ..   and that would mean they could only have one connection to the production database at any given time.

 

It looks like it may solve my issue with inbound traffic from AWS.   I assume I can make the AWS-REAL a group of networks

 

One other clarifications, since the database is already NAT'd, would the destination be the IP of the server or the NAT'd IP?

 

nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static DB-REAL DB-REAL

 

or

 

nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static DB-NAT DB-NAT

 

Honest, not being obtuse... just trying to wrap my head around something new.  First time I've run into this situation in my career.

 

THANK you. . . I do appreciate the dialogue

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to cindy.palmer

‎08-02-2021 02:27 PM

@cindy.palmer 

Yes you can use an object group or you could just create multiple nat rules, up to you.

You will need to use the real IP address of the database server.

Customers Also Viewed These Support Documents