Would this solution allow for

wilson_1234_2 · ‎07-28-2016

I have a site to site VPN tunnel on an ASA Version 9.5(2)2 that is up and active and currently working. I did not configure, but have the need to add a couple of hosts not currently in the existing crypto ACL. The existing crypto ACL is configured per the following:

access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.98.16.0 255.255.240.0

My endpoints are going to be on the following interfaces:

!
interface GigabitEthernet0/1
nameif DMZ
security-level 75
ip address 192.168.100.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif VRF
security-level 50
ip address 10.98.0.15 255.255.255.0
!

Currently the remote site (10.98.16.0/24) is able to get to the local side subnet of 10.98.0.0/24

The remote site has the need to get to a couple of hosts in the DMZ 192.168.100.0/24.

I am wondering if it is possible to NAT these hosts on my side without modifying the existing VPN tunnel.

My goal is to be able to create a NAT translation so that the two hosts in 192.168.100.x will traverse the VPN tunnel through the existing crypto ACL.

One reason for doing this is to be able to NAT the DMZ hosts with no interaction or modification of the remote side VPN config as this is not managed by us and it is near impossible to get any technical assistance from the remote side.

Anyone have any thoughts?

Perhaps with a twice NAT config (an additional line) that will not affect the existing NAT?

Cristian Nilsson · ‎08-03-2016

Hello,

Untested but i hope this could work.

Note: i took last available host in local net matching crypto acl - but this can be changed.

object network VPN-PAT-IP
 host 10.255.255.254

object network LOCAL-DMZ-NET-192.168.100.0_28
 subnet 192.168.100.0 255.255.255.240

object network REMOTE-NET-10.98.16.0_20
 subnet 10.98.16.0 255.255.240.0

nat (DMZ,OUTISDE) source dynamic LOCAL-DMZ-NET-192.168.100.0_28 VPN-PAT-IP destination static REMOTE-NET-10.98.16.0_20 REMOTE-NET-10.98.16.0_20

//Cristian

wilson_1234_2 · ‎08-04-2016

Thanks for the reply. Suppose I wanted hosts on the inside network, to access the DMZ host with an IP Address on the inside Network?

In other words, NAT the DMZ host to an inside IP Address. I am thinking something like this:

!
interface GigabitEthernet0/1
nameif DMZ
security-level 75
ip address 192.168.100.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif VRF
security-level 50
ip address 10.98.0.15 255.255.255.0
!

object network DMZ_Host
host 192.169.100.10

object network VRF_Host
host 10.98.0.10

object network VRF_Host
nat (VRF, DMZ) static DMZ_Host

Cristian Nilsson · ‎08-04-2016

Hello,

Without any testing myself i would say that will work - but only for one host.

If you want multiple hosts to go from VRF to DMZ you can apply PAT by using dynamic.

object network VRF_Host
 nat (VRF, DMZ) dynamic DMZ_Host

object network VRF_Host
 nat (VRF, DMZ) dynamic interface

Or a pool of NAT addresses if you want 1-1 mappings (10 hosts).

object network DMZ_POOL
 range 192.168.100.10 192.168.100.20

object network VRF_Host
 nat (VRF, DMZ) static DMZ_POOL

//Cristian

wilson_1234_2 · ‎08-04-2016

I am looking to NAT a single host. Users from the VRF (inside) interface, in order to get to the DMZ hosts, will see it as a VRF (inside) IP Address.

I get confused as to the direction when doing the NAT in this manner.

Cristian Nilsson · ‎08-04-2016

I am not sure that i understand you correctly, but you want a single host from DMZ to speak to VRF?

If so your statement should work.

The higher security-level on DMZ should allow traffic if no ACL explicit denies traffic.

PS.

I told you wrong in my previous post regarding multiple hosts - you are pointing at a single host with both objects. (I never do auto nat myself).

//Cristian

wilson_1234_2 · ‎08-04-2016

No, what I want is for anyone who is able to route to the VRF (inside) interface to be able to get to the DMZ host by using a VRF subnet interface.

For example if someone at 10.98.0.100 wants to get to 192.168.100.10, they would make their connection to 10.98.0.10, as if they were in the same local subnet.

Cristian Nilsson · ‎08-05-2016

Hello,

You must be aware of conflicts that may happen this way, and i´m not sure its possible to achieve with the whole subnet but single hosts could be doable.

This is not tested.

object network DMZ_Host
 host 192.169.100.10

object network VRF_Host
 host 10.98.0.10

nat (VRF,DMZ) source static any any destination static VRF_Host DMZ_Host route-lookup

Edit: Type-o in acl]

However, is it not possible to just let the ASA route packets between VRF and DMZ interface.

You need then apply ACL as security-level is lower on VRF interface.

Something like this:

object network NET-192.168.100.0_28
 subnet 192.168.100.0 255.255.255.240

object network NET-10.98.0.0_24
 subnet 10.98.0.0 255.255.255.0

access-list DMZ-IN extended permit ip object NET-10.98.0.0_24 object NET-192.168.100.0_28

access-group DMZ-IN in interface DMZ

//Cristian

[Edit: Type-o in access-group]

wilson_1234_2 · ‎08-05-2016

Would this solution allow for the NATing of just a couple of hosts in the DMZ, and allow all other hosts in the DMZ to accessed via their native IP Address?

Cristian Nilsson · ‎08-08-2016

Hello,

Above NAT should NAT anyone from VRF going to DMZ to 10.98.0.10 if destination is 192.169.100.10.

If user access 10.98.0.10 they should get re-directed to 192.168.100.10

I am not sure i understand your goal thou.

//Cristian

Site to site VPN NAT a couple of DMZ hosts