cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1403
Views
10
Helpful
10
Replies

Source nat in tunnel mode site to site vpn

sv7
Beginner
Beginner

Hi all, 

 

Configure site to site between cisco asa and azure using route based vpn but now customer wants to source nat the subnet lie behind asa going for Azure end. I have checked but didnt found any document where i can source nat my traffic. Attaching my config here .

 

Cisco-ASA(config)#crypto ikev2 enable outside

Cisco-ASA(config)#crypto ikev2 policy 1
Cisco-ASA(config-ikev2-policy)#encryption aes-256
Cisco-ASA(config-ikev2-policy)#integrity sha
Cisco-ASA(config-ikev2-policy)#group 2
Cisco-ASA(config-ikev2-policy)#lifetime seconds 28800

Cisco-ASA(config)#crypto ipsec ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-proposal)#protocol esp encryption aes-256
Cisco-ASA(config-ipsec-proposal)#protocol esp integrity sha1
Cisco-ASA(config-ipsec-proposal) #crypto ipsec security-association lifetime seconds 3600

Cisco-ASA(config)#crypto ipsec profile PROFILE1
Cisco-ASA(config-ipsec-profile)#set ikev2 ipsec-proposal SET1
Cisco-ASA(config-ipsec-profile)#set security-association lifetime seconds 27000
Cisco-ASA(config-ipsec-profile)#set pfs group2

Cisco-ASA(config)#tunnel-group 13.71.28.xxx type ipsec-l2l
Cisco-ASA(config)#tunnel-group 13.71.28.xxx ipsec-attributes
Cisco-ASA(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key xxxxx
Cisco-ASA(config-tunnel-ipsec)#ikev2 remote-authentication pre-shared-key xxxxx

Cisco-ASA(config)#interface tunnel 100
Cisco-ASA(config)# no shut
Cisco-ASA(config-if)#nameif vti
Cisco-ASA(config-if)#ip address 169.254.0.1 255.255.255.252
Cisco-ASA(config-if)#tunnel source interface outside
Cisco-ASA(config-if)#tunnel destination 13.71.28.xxx
Cisco-ASA(config-if)#tunnel mode ipsec ipv4
Cisco-ASA(config-if)#tunnel protection ipsec profile PROFILE1

Cisco-ASA(config)#route vti 192.168.9.x 255.255.255.0 169.254.0.2


Basically i need to use below nat format but didnt know where to apply this in crypto rule


Cisco-ASA(config)#nat (inside,outside) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.

 

Any can one help me here 

10 Replies 10

Milos_Jovanovic
VIP Engager VIP Engager
VIP Engager

Hi @sv7,

If I understood this correctly, and assuming that you already have working VPN, you need to apply NAT to your tunnel interface, something like:

Cisco-ASA(config)#nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24

BR,

Milos

Hi Milos,

 

Thank you for reply. I know the command but need assistance as where i should call this source nat 

nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24. As here there's no crypto map command in my configuration as such where i can call this.

Hi @sv7,

VTI (tunnel interfaces) is part of route-based VPN, which is conceptually different from policy-based VPN (crypto maps). There is no crypto map involved and no need to invoke it anywhere. Tunnel interface is same interface as any other, and you only need to apply NAT statement, same like any other NAT statement on ASA (just take care of order of NAT rules, as, in general, you want your no-NAT rules to be on top of others).

Either way, NAT is not applied in crypto map, even with policy-based VPNs (there is a dependency between them, but not invoked anywhere specifically).

BR,

Milos

will the below nat statements works with my site to site route base vpn tunnel i posted.

 

nat (inside,vti) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24.

Hi @sv7,

Yes, this is the NAT statement I originally suggested.

BR,

Milos

I dont believe you can use a VTI in a nat statement, rather you need to use a named physical interface or 'any'. 

I don't know the reason why but I can confirm that to date you cannot use vti interfaces inside nat statements, as jamesmils suggested a workaround I've found which is working since many month now is to use twice nat with the keyword any, something like that;

nat (inside,any) source static 192.168.10.x_24 192.168.19.x_24 destination static 192.168.9.x_24 192.168.9.x_24

In short with this command you don't directly chose the destination interface, but specifing the destination network you get the same result.

Most probably this workaround doesn't cover all the possible nat cases, but should cover the most common, though. 

sv7
Beginner
Beginner

any help please

suneel.waqas
Beginner
Beginner

Hi All

I have same situation. my customer wanted me to NAT my internal subnet to Mapped IP he provided. I am using IPSec Policy base. can someone look config sample below for NAT & Crypto ACL and verify that if config is correct.

object-group network source-inside

subnet 10.86.224.0 255.255.252.0
subnet 10.86.96.0 255.255.252.0
subnet 10.87.96.0 255.255.255.0
subnet 10.87.132.0 255.255.255.0
subnet 10.87.29.0 255.255.255.0

object-group network Mapped_IP

subnet 10.101.168.0 255.255.252.0

object-group network remote-IP

network-object host x.x.x.x (waiting dest ip from customer)

nat(inside,outside) source static source_inside Mapped_IP destination static remote-IP  remote-IP

 

access-list outside_cryptomap_20 extended permit ip object-group Mapped_IP object-group remote-IP

 

Hi @suneel.waqas,

I believe you need to modify your NAT/PAT rule:

nat(inside,outside) source static dynamic source_inside Mapped_IP destination static remote-IP remote-IP

You are mapping multiple /22 and /24 subnets to a single /22 subnet, so you must use dynamic for this.

Also, please make sure that you are routing remote-IP towards outside, if this is where your crypto map is applied.

BR,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers