01-02-2014 10:19 AM
Currently, we have a number of VPN's set up with various clients. We are NAT'ing their range to a /24 in our network to keep routing simple, but we are looking to Source NAT our resources due to security concerns. This is an example of a current VPN we have configured:
crypto map outside_map 5 match address SAMPLE_cryptomap
crypto map outside_map 5 set peer 99.99.99.99
crypto map outside_map 5 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 5 set reverse-route
access-list SAMPLE_cryptomap extended permit ip object-group APP_CLIENT_Hosts object-group CLIENT_Hosts
nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
object-group network APP_CLIENT_Hosts
network-object object SITE1_APP_JCAPS_Dev_VIP
network-object object SITE1_APP_JCAPS_Prod_VIP
network-object object SITE2_APP_JCAPS_Dev_Host
network-object object SITE2_APP_JCAPS_Prod_VIP
network-object object SITE1_APP_PACS_Primary
object network SITE1_APP_JCAPS_Dev_VIP
host 10.200.125.32
object network SITE1_APP_JCAPS_Prod_VIP
host 10.200.120.32
object network SITE2_APP_JCAPS_Dev_Host
host 10.30.15.30
object network SITE2_APP_JCAPS_Prod_VIP
host 10.30.10.32
object network SITE1_APP_PACS_Primary
host 10.200.10.75
object network CLIENT_Host_1
network-object host 192.168.15.100
object network CLIENT_Host_2
network-object host 192.168.15.130
object network CLIENT_Host_3
network-object host 192.168.15.15
object network CLIENT_Host_1_NAT
network-object host 10.200.192.31
object network CLIENT_Host_2_NAT
network-object host 10.200.192.32
object network CLIENT_Host_3_NAT
network-object host 10.200.192.33
My question revolves around the configuration of the Source NAT. If I understand it correctly, I am going to have to configure 3 NAT statements per Source NAT since there are three different destinations that are being NAT'ed. I believe I would need to add this:
object network SITE1_APP_JCAPS_Dev_VIP_NAT
host 88.88.88.81
object network SITE1_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.82
object network SITE2_APP_JCAPS_Dev_Host_NAT
host 88.88.88.83
object network SITE2_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.84
object network SITE1_APP_PACS_Primary_NAT
host 88.88.88.85
nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
Is that correct, or is there an easier way to do it without having to add all the NAT statements? Also,would any changes need to be made on the access-list?
Solved! Go to Solution.
01-02-2014 12:36 PM
Hi,
To my understanding you would not need to create multiple new NAT statements. You should be fine just creating a new "object-group" for the new NAT addresses of your source addresses.
To better explain, take a look at your current "object-group" that defines your source addresses
object-group network APP_CLIENT_Hosts
network-object object SITE1_APP_JCAPS_Dev_VIP
network-object object SITE1_APP_JCAPS_Prod_VIP
network-object object SITE2_APP_JCAPS_Dev_Host
network-object object SITE2_APP_JCAPS_Prod_VIP
network-object object SITE1_APP_PACS_Primary
Now what you should do this configure an "object-group" that contains a NAT IP address for each of the above IP addresses inside the "object-group" and "object" used. The IMPORTANT thing is that the "object-group" containing the NAT IP addresses is in the SAME ORDER as the actual source addresses.
What I mean is that the first IP address contained in the above "object-group" will match the first IP address in the newly created "object-group" for the NAT IP addresses.
In the above way you can simply have the same 3 "nat" configurations as before but you will modify/add in the newly created "object-group"
For example, you could do the following
object network SITE1_APP_JCAPS_Dev_VIP_NAT
host 88.88.88.81
object network SITE1_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.82
object network SITE2_APP_JCAPS_Dev_Host_NAT
host 88.88.88.83
object network SITE2_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.84
object network SITE1_APP_PACS_Primary_NAT
host 88.88.88.85
object-group network APP_CLIENT_Hosts_NAT
network-object object SITE1_APP_JCAPS_Dev_VIP_NAT
network-object object SITE1_APP_JCAPS_Prod_VIP_NAT
network-object object SITE2_APP_JCAPS_Dev_Host_NAT
network-object object SITE2_APP_JCAPS_Prod_VIP_NAT
network-object object SITE1_APP_PACS_Primary_NAT
Then you would add the following "nat" configurations
nat (inside,outside) 1 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) 2 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) 3 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
Notice the line numbers added to the above commands. This will enter them at the top of the ASAs NAT rules and therefore they will become active right away. Without the line numbers they will be used only after when you remove the old lines.
Then you could remove the old ones
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
This should leave you with 3 "nat" configurations that does NAT for both the source and destination addresses.
Naturally while you do this change you will also have to change the Crypto ACL to match the new source NAT. This is because all NAT is done before any VPN related on the ASA. Therefore destination addresses are UN-NATed before VPN and source addresses are NATed before VPN.
If you would like to make the changes without affecting the connections too much then I would suggest
Naturally if you can afford a small outage during the change then the order in which you do the things should not matter that much. In my work the connections usually arent that critical that you could not make such changes almost at any point as its a matter of minutes that it takes to make the changes.
Hope this made sense and helped
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
01-02-2014 12:36 PM
Hi,
To my understanding you would not need to create multiple new NAT statements. You should be fine just creating a new "object-group" for the new NAT addresses of your source addresses.
To better explain, take a look at your current "object-group" that defines your source addresses
object-group network APP_CLIENT_Hosts
network-object object SITE1_APP_JCAPS_Dev_VIP
network-object object SITE1_APP_JCAPS_Prod_VIP
network-object object SITE2_APP_JCAPS_Dev_Host
network-object object SITE2_APP_JCAPS_Prod_VIP
network-object object SITE1_APP_PACS_Primary
Now what you should do this configure an "object-group" that contains a NAT IP address for each of the above IP addresses inside the "object-group" and "object" used. The IMPORTANT thing is that the "object-group" containing the NAT IP addresses is in the SAME ORDER as the actual source addresses.
What I mean is that the first IP address contained in the above "object-group" will match the first IP address in the newly created "object-group" for the NAT IP addresses.
In the above way you can simply have the same 3 "nat" configurations as before but you will modify/add in the newly created "object-group"
For example, you could do the following
object network SITE1_APP_JCAPS_Dev_VIP_NAT
host 88.88.88.81
object network SITE1_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.82
object network SITE2_APP_JCAPS_Dev_Host_NAT
host 88.88.88.83
object network SITE2_APP_JCAPS_Prod_VIP_NAT
host 88.88.88.84
object network SITE1_APP_PACS_Primary_NAT
host 88.88.88.85
object-group network APP_CLIENT_Hosts_NAT
network-object object SITE1_APP_JCAPS_Dev_VIP_NAT
network-object object SITE1_APP_JCAPS_Prod_VIP_NAT
network-object object SITE2_APP_JCAPS_Dev_Host_NAT
network-object object SITE2_APP_JCAPS_Prod_VIP_NAT
network-object object SITE1_APP_PACS_Primary_NAT
Then you would add the following "nat" configurations
nat (inside,outside) 1 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
nat (inside,outside) 2 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
nat (inside,outside) 3 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
Notice the line numbers added to the above commands. This will enter them at the top of the ASAs NAT rules and therefore they will become active right away. Without the line numbers they will be used only after when you remove the old lines.
Then you could remove the old ones
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup
no nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup
This should leave you with 3 "nat" configurations that does NAT for both the source and destination addresses.
Naturally while you do this change you will also have to change the Crypto ACL to match the new source NAT. This is because all NAT is done before any VPN related on the ASA. Therefore destination addresses are UN-NATed before VPN and source addresses are NATed before VPN.
If you would like to make the changes without affecting the connections too much then I would suggest
Naturally if you can afford a small outage during the change then the order in which you do the things should not matter that much. In my work the connections usually arent that critical that you could not make such changes almost at any point as its a matter of minutes that it takes to make the changes.
Hope this made sense and helped
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni
01-08-2014 12:07 PM
Thank you, Jouni. That is the info I needed! I am going to lab it up this week. I appreciate your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide