cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3376
Views
0
Helpful
6
Replies

site to site vpn with NAT

nstewart
Level 1
Level 1

this is probably a silly question but thought I would ask.....

I'm looking for some help to tie down access coming from one of our site to site vpn tunnels.

Both parties are using NAT to translate the internal addresses and policy NAT for the devices that are allowed to access via the tunnel.

There is a Filter list ACL tied to the tunnel-group to restrict the Layer 4 traffic allowed through to the server but it would be good to restrict which devices

were allowed through but this doesn't seem possible as we are using NAT.

Does anyone have a good solution to get around this?

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

First off since your both doing NAT before the L2L VPN connection I would suggest that you NAT the real LAN network to an equal size NAT network with Static Policy NAT. This will mean that each host address will match the actual NAT IP address. This would make it pretty easy to determine the real LAN host on the basis of its NAT IP address.

Second, if you are using ASA firewall then I would suggest looking into issuing the following command (read whole post before even thinking of issuing the command )

no sysopt connection permit-vpn

This would essentially change the ASAs behaviour so that it would no more automatically allow connections that are coming from a VPN connection (Client and L2L VPN) but they would be required to pass the "outside" interface ACL check.

Naturally as you have existing VPN connections this means your situation is a little bit different.

Presuming that all the other VPN connections dont require limitation to where they can connect, you could then do so that you first allow ALL those VPNs traffic in the "outside" interface ACL and after this is done you could issue the above global command/setting which would change the ASA behaviour.

You could now remove the Filter ACL and configure the rules needed on the actual "outside" interface ACL. I find it a lot easier to manage atleast.

Without seeing any configurations its hard to say what your actual situation is. When you say you are doing NAT, you only mention that you are doing somekind of Policy NAT. You dont mention if its Static or Dynamic for example.

- Jouni

Thanks Jouni for your reply.

Yes I'm using a Cisco ASA5520 and the remote end is using one too.

I'm doing Dynamic Policy NAT for a group of addresses to go out from my network Site A to the remote end Site B.

Outgoing access is fine but its the incoming that I would like to restrict. If I allow access into my network A from Site B's global address then they can open up their whole network to this global and there is no control over this. I understand I may have to do things differently to get around this and was hoping to get some tips.

There are other active tunnels on the ASA so the command you mention (use with caution ) to allow the vpn traffic to bypass the outside interface would as you point out affect other traffic too.

I'm not sure though if this would help. how would you then do the checking on the outside interface. Would this be any different if they were still using a global?

hope this makes sense.

Hi,

Well to me it would seem the easiest way to control traffic most efficiently would be do scrap the Dynamic Policy NAT and use Static Policy NAT. And I mean a Static Policy NAT that does NAT for a whole LAN network to another NAT network of equal size. This would mean that each LAN host would have its own NAT IP address.

A simple example

access-list L2LVPN-POLICYNAT remark Policy NAT for L2L VPN Connection

access-list L2LVPN-POLICYNAT permit ip 10.10.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside,outside) 192.168.1.0 access-list L2LVPN-POLICYNAT

The above would for example do Static NAT when the source network is 10.10.10.0/24 and destination network 172.16.10.0/24. It would NAT 10.10.10.1 to 192.168.10.1 and 10.10.10.2 to 192.168.10.2 and so on.

As long as you are using Dynamic NAT you cant possibly know which remote host is initiating connection to your network.

Though I am kind of confused about the fact that you are using Dynamic Policy NAT. How would the remote end be connecting to your Dynamic NAT IP addresses. They wouldnt know which host they would be connecting to as the NAT being done by defenition is NOT Static which is required to host services when using NAT.

The "sysopt" command I mentioned was simply to illustrate a simpler way (in my opinion) to control VPN traffic compared to separate Filter ACLs.

On its default setting ASA will let through all traffic coming from a VPN connection. So when you want to control the traffic you will need to configure different ACLs and especially in the case of L2L VPN you will use ACLs that dont follow the same logic of interface ACL so the whole setup gets even more complex.

Changing the global "sysopt" setting mentioned will enable to contro ALL the VPN connections on the "outside" interface ACL like any other traffic coming from behind that interaface. If all your current VPN connections dont require ACL/Filter rules then you simply allow traffic from those network to "any" in the "outside" interface ACL and you got those settled. Then you would only have to build the rules needed for this L2L VPN connection that does require specific rules.

Again one example

  • You have an "outside" interface ACL called "OUTSIDE-IN"
  • You have VPN Pools 10.10.10.0/24 and 10.10.20.0/24
  • You have L2L VPN remote network 10.10.100.0/24 and 10.10.200.0/24
  • You got a new L2L VPN remote network 172.16.1.0/24 for which you want to restrict traffic
  • You want to keep the previous VPN traffic flowing freely
  • You want to change from Filter ACL to using the "outside" interface ACL

So you simply add rules to the existing interface ACL first

access-list OUTSIDE-IN remark Allow all traffic from VPN Pools

access-list OUTSIDE-IN permit ip 10.10.10.0 255.255.255.0 any

access-list OUTSIDE-IN permit ip 10.10.20.0 255.255.255.0 any

access-list OUTSIDE-IN remark Allow all traffic from Remote VPN Networks

access-list OUTSIDE-IN permit ip 10.10.100.0 255.255.255.0 any

access-list OUTSIDE-IN permit ip 10.10.200.0 255.255.255.0 any

access-list OUTSIDE-IN remark Allow certain services from new L2L VPN

access-list OUTSIDE-IN permit tcp 172.16.1.0 255.255.255.0 host 192.168.1.1 eq http

access-list OUTSIDE-IN permit tcp 172.16.1.0 255.255.255.0 host 192.168.1.1 eq https

no sysopt connection permit-vpn

The above should essentially mean that you allow all traffic from the existing remote network to flow freely since we allowed in the ACL before changing the "sysopt" setting. It would also only allow certain connections from the new remote LAN. I used the same IP addresses as in the example Static Policy NAT for those ACL rules.

But as I said, I am pretty confused about the actual NAT setup. Dynamic NAT is not used to allow remote connections to your network.

I would almost be best to see some configurations to get a clear picture of the setup.

- Jouni

Also to further clarify,

The setting chance I am suggesting would do so that the VPN traffic WOULD NOT BYPASS your "outside" interface ACL anymore.

IF you have the above mentioned "sysopt" setting at its default THEN VPN traffic at the moment is allowed to flow freely through your firewall from behind VPN connections UNLESS you have VPN Filter ACLs configured for the connections.

You can confirm that setting on both ASAs for example issuing the following command

show run all sysopt

It does list all other "sysopt" settings too though.

The purpose of changing this setting from my perspective was simply to consolidate all the access control from behind "outside" to the "outside" interface ACL rather than configuring Filter ACLs which are pretty unconvinient in the case of L2L VPNs since the format is different.

- Jouni

HI Jouni,

Thanks for your replies.

I'm still a bit confused though. NAT isnt my strongest point so please bear with me.

At the moment the traffic is only going from my site to theirs. I have a whole range of addresses that require to connect to their server so I had set up Dynamic NAT and used a global so that all of my traffic goes out as one address to their network.

You mention that Dynamic NAT is not normally used in this way. Is this correct?

>>>>>But as I said, I am pretty confused about the actual NAT setup. Dynamic NAT is not used to allow remote connections to your network.

I could understand that this would be the case as the remote end then doesnt have any control over which device is sending the traffic but it does work in practice.

- Nicola

Hi,

I am still not sure how your NAT is configured on your ASA.

I would really need to see the NAT configurations and L2L VPN ACL used in the Crypto Map to tell what the situation is at the moment.

If the only type of NAT that you are doing on your side for this L2L VPN is Dynamic Policy NAT/PAT then this would indicate that you are using some services located on the remote site and the remote site does not have any need for connection towards your site.

Dynamic type NAT/PAT configurations arent used to host any services. Specifically because they are dynamic by definition. The NAT IP address of the actual host might change for example. So when we are talking about a L2L VPN connection between 2 networks you would usually use NAT0 or Static Policy NAT to enable connectivity from the remote site to your site.

With NAT0 and Static Policy NAT the remote knows with what IP address the remote host is reachable with. Compare this to doing Dynamic NAT/PAT on your side and the remote site couldnt connect to any host on your LAN since no addresses are either staticly assigned to your hosts (Static Policy NAT) or the hosts arent visible on the L2L VPN connection with their original IP address (NAT0)

- Jouni