07-28-2016 08:38 AM
I have a site to site VPN tunnel on an ASA Version 9.5(2)2 that is up and active and currently working. I did not configure, but have the need to add a couple of hosts not currently in the existing crypto ACL. The existing crypto ACL is configured per the following:
access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.98.16.0 255.255.240.0
My endpoints are going to be on the following interfaces:
!
interface GigabitEthernet0/1
nameif DMZ
security-level 75
ip address 192.168.100.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif VRF
security-level 50
ip address 10.98.0.15 255.255.255.0
!
Currently the remote site (10.98.16.0/24) is able to get to the local side subnet of 10.98.0.0/24
The remote site has the need to get to a couple of hosts in the DMZ 192.168.100.0/24.
I am wondering if it is possible to NAT these hosts on my side without modifying the existing VPN tunnel.
My goal is to be able to create a NAT translation so that the two hosts in 192.168.100.x will traverse the VPN tunnel through the existing crypto ACL.
One reason for doing this is to be able to NAT the DMZ hosts with no interaction or modification of the remote side VPN config as this is not managed by us and it is near impossible to get any technical assistance from the remote side.
Anyone have any thoughts?
Perhaps with a twice NAT config (an additional line) that will not affect the existing NAT?
08-03-2016 10:33 PM
Hello,
Untested but i hope this could work.
Note: i took last available host in local net matching crypto acl - but this can be changed.
object network VPN-PAT-IP
host 10.255.255.254
object network LOCAL-DMZ-NET-192.168.100.0_28
subnet 192.168.100.0 255.255.255.240
object network REMOTE-NET-10.98.16.0_20
subnet 10.98.16.0 255.255.240.0
nat (DMZ,OUTISDE) source dynamic LOCAL-DMZ-NET-192.168.100.0_28 VPN-PAT-IP destination static REMOTE-NET-10.98.16.0_20 REMOTE-NET-10.98.16.0_20
//Cristian
08-04-2016 05:04 AM
Thanks for the reply. Suppose I wanted hosts on the inside network, to access the DMZ host with an IP Address on the inside Network?
In other words, NAT the DMZ host to an inside IP Address. I am thinking something like this:
!
interface GigabitEthernet0/1
nameif DMZ
security-level 75
ip address 192.168.100.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif VRF
security-level 50
ip address 10.98.0.15 255.255.255.0
!
object network DMZ_Host
host 192.169.100.10
object network VRF_Host
host 10.98.0.10
object network VRF_Host
nat (VRF, DMZ) static DMZ_Host
08-04-2016 05:19 AM
Hello,
Without any testing myself i would say that will work - but only for one host.
If you want multiple hosts to go from VRF to DMZ you can apply PAT by using dynamic.
object network VRF_Host
nat (VRF, DMZ) dynamic DMZ_Host
object network VRF_Host
nat (VRF, DMZ) dynamic interface
Or a pool of NAT addresses if you want 1-1 mappings (10 hosts).
object network DMZ_POOL
range 192.168.100.10 192.168.100.20
object network VRF_Host
nat (VRF, DMZ) static DMZ_POOL
//Cristian
08-04-2016 05:43 AM
I am looking to NAT a single host. Users from the VRF (inside) interface, in order to get to the DMZ hosts, will see it as a VRF (inside) IP Address.
I get confused as to the direction when doing the NAT in this manner.
08-04-2016 06:06 AM
I am not sure that i understand you correctly, but you want a single host from DMZ to speak to VRF?
If so your statement should work.
The higher security-level on DMZ should allow traffic if no ACL explicit denies traffic.
PS.
I told you wrong in my previous post regarding multiple hosts - you are pointing at a single host with both objects. (I never do auto nat myself).
//Cristian
08-04-2016 06:14 AM
No, what I want is for anyone who is able to route to the VRF (inside) interface to be able to get to the DMZ host by using a VRF subnet interface.
For example if someone at 10.98.0.100 wants to get to 192.168.100.10, they would make their connection to 10.98.0.10, as if they were in the same local subnet.
08-05-2016 07:57 AM
Hello,
You must be aware of conflicts that may happen this way, and i´m not sure its possible to achieve with the whole subnet but single hosts could be doable.
This is not tested.
object network DMZ_Host
host 192.169.100.10
object network VRF_Host
host 10.98.0.10
nat (VRF,DMZ) source static any any destination static VRF_Host DMZ_Host route-lookup
Edit: Type-o in acl]
However, is it not possible to just let the ASA route packets between VRF and DMZ interface.
You need then apply ACL as security-level is lower on VRF interface.
Something like this:
object network NET-192.168.100.0_28
subnet 192.168.100.0 255.255.255.240
object network NET-10.98.0.0_24
subnet 10.98.0.0 255.255.255.0
access-list DMZ-IN extended permit ip object NET-10.98.0.0_24 object NET-192.168.100.0_28
access-group DMZ-IN in interface DMZ
//Cristian
[Edit: Type-o in access-group]
08-05-2016 07:57 AM
Would this solution allow for the NATing of just a couple of hosts in the DMZ, and allow all other hosts in the DMZ to accessed via their native IP Address?
08-08-2016 12:31 AM
Hello,
Above NAT should NAT anyone from VRF going to DMZ to 10.98.0.10 if destination is 192.169.100.10.
If user access 10.98.0.10 they should get re-directed to 192.168.100.10
I am not sure i understand your goal thou.
//Cristian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide