Solved: Source NAT for external traffic then sent over a VPN

simon.hornby · ‎09-26-2013

I’m having a bit of an issue with getting something to work, and would appreciate any help.

I am trying to arrange things so that a user associated with site A can access his mail server which is on site A, via a public IP which is hosted at site B, which is conencted to site A over a VPN.

So the user, at any internet address, initiates a session to a public IP, which then goes to the site B ASA. The idea being that that ASA then translates the source to be its internal IP, and the destination to be the mail server. The reason for this is that if no source translation is done, then the response packet will just be routed out to the internet from site A, leading to an assymetric route and the packet being dropped. The idea is that the response then goes back to the site B ASA, and is translated back to the internet address and sent back to the user.

If I use a source NAT to a server behind the Site B ASA, it works fine. If I do it for the scenario bdescribed above, I get the following log entries:

14:02:40	305011	86.147.195.124	56453	192.168.1.30	56453	Built dynamic TCP translation from any:86.147.195.124/56453 to Inside:192.168.1.30/56453
14:02:40	302013	86.147.195.124	56453	192.168.3.3	1352	Built inbound TCP connection 5493843 for Outside:86.147.195.124/56453 (192.168.1.30/56453) to Inside:192.168.3.3/1352 (196.33.105.132/1352)
14:02:40	302014	86.147.195.124	56453	192.168.3.3	1352	Teardown TCP connection 5493843 for Outside:86.147.195.124/56453 to Inside:192.168.3.3/1352 duration 0:00:00 bytes 0 No valid adjacency
14:02:40	305012	86.147.195.124	56453	192.168.1.30	56453	Teardown dynamic TCP translation from any:86.147.195.124/56453 to Inside:192.168.1.30/56453 duration 0:00:00

192.168.3.3 is the notes server at site A, which is 192.168.3.0/24. 192.168.1.30 is the internal interface of the ASA at site B, which is 192.168.1.0/24. 86.147.195.124 is any external internet address, and 196.33.105.132 is the public address for the notes server at site A.

Clearly the third one is the one that shows a problem.

Here's my NAT rule:

nat (Outside,Inside) source dynamic any interface destination static ext-196.33.105.132 int-192.168.3.3

There's also a no-nat rule for site B to site A following it (I've also tried them in the other order). The VPN works fine, though if it should be important I will note that site A does not have a static IP, but does have a router doing keepalives to keep the VPN up, and the site A vpn endpoint is not an ASA.

Jouni Forss · ‎09-26-2013

Hi,

So if I understood correctly.

You have 2 sites connected by L2L VPN
Site A is a sort of remote site while Site B is the main site holding more public IP address space to host servers
You want to do Dynamic PAT for external public users contacting your mail server which is located at Site A to an IP address belong to the Site B LAN

In this case I would first suggest selecting an IP address from the Site B LAN network that is not used and will not be used for anything else. You will use this IP address as the source to the L2L VPN for all external users contacting the Site A mail server through Site B.

What you will have to change in your configuration is this

Configure the NAT to be between "(Outside,Outside)"
Enabled "same-security-traffic permit intra-interface" if not already enabled
Configure an "object network " and configure "host " under it
Replace the current parameter "interface" in the "nat" command with the previously created "object" name

The main thing to notice above is that the first one defines the correct interfaces between which this traffic will flow and there is only one interface used in the ASA with this setup. Traffic comes through "Outside" and will exit through "Outside" as its heading through L2L VPN connection. The second thing mentioned above is simply to enabled the ASA to pass traffic that is entering and leaving the same interface. Without this it wont work. The last 2 things mentioned are meant to give the external users the correct NAT IP address visible to the L2L VPN connection.

Essentially it would look something like this

object network PAT

host 1.1.1.1

nat (Outside,Outside) source dynamic any PAT destination static ext-196.33.105.132 int-192.168.3.3

So considering the above, if the "int-192.168.3.3" and the IP under "object network PAT" already matches the ACL configured in the "crypto map" statement then traffic from the external network should be tunneled to the L2L VPN

Do notice that if the public IP address used in this setup is used for other internal hosts (with Static PAT) then we need to add some more things to the NAT configuration. But I imagine that is not the case. I presume the aim is to use 1:1 Static NAT and not Static PAT

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎09-26-2013

Hi,

So if I understood correctly.

You have 2 sites connected by L2L VPN
Site A is a sort of remote site while Site B is the main site holding more public IP address space to host servers
You want to do Dynamic PAT for external public users contacting your mail server which is located at Site A to an IP address belong to the Site B LAN

In this case I would first suggest selecting an IP address from the Site B LAN network that is not used and will not be used for anything else. You will use this IP address as the source to the L2L VPN for all external users contacting the Site A mail server through Site B.

What you will have to change in your configuration is this

Configure the NAT to be between "(Outside,Outside)"
Enabled "same-security-traffic permit intra-interface" if not already enabled
Configure an "object network " and configure "host " under it
Replace the current parameter "interface" in the "nat" command with the previously created "object" name

The main thing to notice above is that the first one defines the correct interfaces between which this traffic will flow and there is only one interface used in the ASA with this setup. Traffic comes through "Outside" and will exit through "Outside" as its heading through L2L VPN connection. The second thing mentioned above is simply to enabled the ASA to pass traffic that is entering and leaving the same interface. Without this it wont work. The last 2 things mentioned are meant to give the external users the correct NAT IP address visible to the L2L VPN connection.

Essentially it would look something like this

object network PAT

host 1.1.1.1

nat (Outside,Outside) source dynamic any PAT destination static ext-196.33.105.132 int-192.168.3.3

So considering the above, if the "int-192.168.3.3" and the IP under "object network PAT" already matches the ACL configured in the "crypto map" statement then traffic from the external network should be tunneled to the L2L VPN

Do notice that if the public IP address used in this setup is used for other internal hosts (with Static PAT) then we need to add some more things to the NAT configuration. But I imagine that is not the case. I presume the aim is to use 1:1 Static NAT and not Static PAT

Hope this helps

- Jouni

simon.hornby · ‎09-26-2013

Thanks, that worked a treat.

jwise1203 · ‎11-25-2013

Jouni,

We are trying to configure something very similar to this. However we do have our public IP address used for other internal hosts. Could you please explain what addtional steps would be needed to make this configuration work this way?

Thanks much for your time!

Jouni Forss · ‎11-26-2013

Hi Jared,

I think its probably best if you start a new discussion about your situation and provide some background information about your network setup and the networks/IP addresses used. If some public IP addresses are related then you should replace them with made up IP addresses.

This would help us understand your current environment and new requirements related to NAT better.

- Jouni

jwise1203 · ‎11-27-2013

Jouni,

I have made the other post here: https://supportforums.cisco.com/thread/2253745?tstart=0

Thanks!