08-02-2021 07:40 AM
Got a bit of a conundrum
Running a Cisco 5525-X ASA. This is the firewall as well as the endpoint of the B2B VPN tunnels
Lately have several B2B VPN tunnels where AWS is the other endpoint.
Creating ACLs:
AWS uses CIDR ranges where the minimum is a /24. I've been told they don't NAT. The latest request is a cluster of four subnets (/24). Over 1,000 possible connections to a single production database is NOT a good thing.
Anybody have an idea about how to configure this down to a one IP to one IP access rule? Or, is this even possible? Other suggestions?
THANKS!
Solved! Go to Solution.
08-02-2021 02:27 PM
Yes you can use an object group or you could just create multiple nat rules, up to you.
You will need to use the real IP address of the database server.
08-02-2021 07:50 AM
I assume the database server is located in AWS? There is no reason why you cannot NAT on the ASA5525 you control, either behind 1 IP address or a pool of IP addresses. All traffic sent over the VPN tunnel to AWS would be sourced from this NAT ip address.
08-02-2021 08:38 AM
Thank you but apparently I didn't make myself entirely clear.
The database server is behind the ASA and yes it is NAT'd. BUT the sources coming into that database are in AWS. Four full /24 subnets. That's what I'm trying to figure out, if it is possible to narrow that scope.
08-02-2021 09:42 AM
Ok fine, you can still NAT after the traffic has been decrypted inbound. Example:-
object network SVR
host 192.168.250.1
object network AWS-REAL
subnet 10.10.0.0 255.255.0.0
object network AWS-NAT
host 192.168.251.1
!
nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static SVR SVR
Any traffic routed over the VPN from the AWS-REAL network will be translated to the object AWS-NAT. The SVR will see traffic only from that AWS-NAT IP address, not an IP address in AWS-REAL networks.
08-02-2021 02:20 PM
Elegant. . .. and that would mean they could only have one connection to the production database at any given time.
It looks like it may solve my issue with inbound traffic from AWS. I assume I can make the AWS-REAL a group of networks
One other clarifications, since the database is already NAT'd, would the destination be the IP of the server or the NAT'd IP?
nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static DB-REAL DB-REAL
or
nat (OUTSIDE,INSIDE) source static AWS-REAL AWS-NAT destination static DB-NAT DB-NAT
Honest, not being obtuse... just trying to wrap my head around something new. First time I've run into this situation in my career.
THANK you. . . I do appreciate the dialogue
08-02-2021 02:27 PM
Yes you can use an object group or you could just create multiple nat rules, up to you.
You will need to use the real IP address of the database server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide