cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
268
Views
0
Helpful
2
Replies
Highlighted
Beginner

Source Nat on S2S VPN Question

Currently, we have a number of VPN's set up with various clients.  We are NAT'ing their range to a /24 in our network to keep routing simple, but we are looking to Source NAT our resources due to security concerns.  This is an example of a current VPN we have configured:

crypto map outside_map 5 match address SAMPLE_cryptomap

crypto map outside_map 5 set peer 99.99.99.99

crypto map outside_map 5 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 5 set reverse-route

access-list SAMPLE_cryptomap extended permit ip object-group APP_CLIENT_Hosts object-group CLIENT_Hosts

nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

object-group network APP_CLIENT_Hosts

network-object object SITE1_APP_JCAPS_Dev_VIP

network-object object SITE1_APP_JCAPS_Prod_VIP

network-object object SITE2_APP_JCAPS_Dev_Host

network-object object SITE2_APP_JCAPS_Prod_VIP

network-object object SITE1_APP_PACS_Primary

object network SITE1_APP_JCAPS_Dev_VIP

host 10.200.125.32

object network SITE1_APP_JCAPS_Prod_VIP

host 10.200.120.32

object network SITE2_APP_JCAPS_Dev_Host

host 10.30.15.30

object network SITE2_APP_JCAPS_Prod_VIP

host 10.30.10.32

object network SITE1_APP_PACS_Primary

host 10.200.10.75

object network CLIENT_Host_1

network-object host 192.168.15.100

object network CLIENT_Host_2

network-object host 192.168.15.130

object network CLIENT_Host_3

network-object host 192.168.15.15

object network CLIENT_Host_1_NAT

  network-object host 10.200.192.31

object network CLIENT_Host_2_NAT

  network-object host 10.200.192.32

object network CLIENT_Host_3_NAT

  network-object host 10.200.192.33

My question revolves around the configuration of the Source NAT.  If I understand it correctly, I am going to have to configure 3 NAT statements per Source NAT since there are three different destinations that are being NAT'ed.  I believe I would need to add this:

object network SITE1_APP_JCAPS_Dev_VIP_NAT

host 88.88.88.81

object network SITE1_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.82

object network SITE2_APP_JCAPS_Dev_Host_NAT

host 88.88.88.83

object network SITE2_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.84

object network SITE1_APP_PACS_Primary_NAT

host 88.88.88.85

nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_JCAPS_Dev_VIP SITE1_APP_JCAPS_Dev_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_JCAPS_Prod_VIP SITE1_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Dev_Host SITE2_APP_JCAPS_Dev_Host_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static SITE2_APP_JCAPS_Prod_VIP SITE2_APP_JCAPS_Prod_VIP_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_1_NAT CLIENT_Host_1 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp route-lookup

nat (inside,outside) source static SITE1_APP_PACS_Primary SITE1_APP_PACS_Primary_NAT destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp route-lookup

Is that correct, or is there an easier way to do it without having to add all the NAT statements?  Also,would any changes need to be made on the access-list?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Mentor

Re: Source Nat on S2S VPN Question

Hi,

To my understanding you would not need to create multiple new NAT statements. You should be fine just creating a new "object-group" for the new NAT addresses of your source addresses.

To better explain, take a look at your current "object-group" that defines your source addresses

object-group network APP_CLIENT_Hosts

network-object object SITE1_APP_JCAPS_Dev_VIP

network-object object SITE1_APP_JCAPS_Prod_VIP

network-object object SITE2_APP_JCAPS_Dev_Host

network-object object SITE2_APP_JCAPS_Prod_VIP

network-object object SITE1_APP_PACS_Primary

Now what you should do this configure an "object-group" that contains a NAT IP address for each of the above IP addresses inside the "object-group" and "object" used. The IMPORTANT thing is that the "object-group" containing the NAT IP addresses is in the SAME ORDER as the actual source addresses.

What I mean is that the first IP address contained in the above "object-group" will match the first IP address in the newly created "object-group" for the NAT IP addresses.

In the above way you can simply have the same 3 "nat" configurations as before but you will modify/add in the newly created "object-group"

For example, you could do the following

object network SITE1_APP_JCAPS_Dev_VIP_NAT

host 88.88.88.81

object network SITE1_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.82

object network SITE2_APP_JCAPS_Dev_Host_NAT

host 88.88.88.83

object network SITE2_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.84

object network SITE1_APP_PACS_Primary_NAT

host 88.88.88.85

object-group network APP_CLIENT_Hosts_NAT

  network-object object SITE1_APP_JCAPS_Dev_VIP_NAT

  network-object object SITE1_APP_JCAPS_Prod_VIP_NAT

  network-object object SITE2_APP_JCAPS_Dev_Host_NAT

  network-object object SITE2_APP_JCAPS_Prod_VIP_NAT

  network-object object SITE1_APP_PACS_Primary_NAT

Then you would add the following "nat" configurations

nat (inside,outside) 1 source static  APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_1_NAT  CLIENT_Host_1 no-proxy-arp route-lookup

nat  (inside,outside) 2 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT  destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp  route-lookup

nat  (inside,outside) 3 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT  destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp  route-lookup

Notice the line numbers added to the above commands. This will enter them at the top of the ASAs NAT rules and therefore they will become active right away. Without the line numbers they will be used only after when you remove the old lines.

Then you could remove the old ones

no nat (inside,outside) source static  APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT  CLIENT_Host_1 no-proxy-arp route-lookup

no nat  (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts  destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp  route-lookup

no nat  (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts  destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp  route-lookup

This should leave you with 3 "nat" configurations that does NAT for both the source and destination addresses.

Naturally while you do this change you will also have to change the Crypto ACL to match the new source NAT. This is because all NAT is done before any VPN related on the ASA. Therefore destination addresses are UN-NATed before VPN and source addresses are NATed before VPN.

If you would like to make the changes without affecting the connections too much then I would suggest

  • Add the rules to the Crypto ACL for the new source addresses (NAT). This naturally has to be done on both sides of the L2L VPN. You would still be leaving the original configurations to the Crypto ACL to not affect the L2L VPN operation.
  • Add the above new "nat" configurations without the line numbers I mentioned which will mean that they wont be used until you remove the old ones.
  • When you are ready to migrate to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start matching the traffic to the new "nat" configurations. Provided ofcourse that there is no other "nat" configuration before the new ones that might mess things up. This will need to be checked by the person doing the changes.

Naturally if you can afford a small outage during the change then the order in which you do the things should not matter that much. In my work the connections usually arent that critical that you could not make such changes almost at any point as its a matter of minutes that it takes to make the changes.

Hope this made sense and helped

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

2 REPLIES 2
Highlighted
Mentor

Re: Source Nat on S2S VPN Question

Hi,

To my understanding you would not need to create multiple new NAT statements. You should be fine just creating a new "object-group" for the new NAT addresses of your source addresses.

To better explain, take a look at your current "object-group" that defines your source addresses

object-group network APP_CLIENT_Hosts

network-object object SITE1_APP_JCAPS_Dev_VIP

network-object object SITE1_APP_JCAPS_Prod_VIP

network-object object SITE2_APP_JCAPS_Dev_Host

network-object object SITE2_APP_JCAPS_Prod_VIP

network-object object SITE1_APP_PACS_Primary

Now what you should do this configure an "object-group" that contains a NAT IP address for each of the above IP addresses inside the "object-group" and "object" used. The IMPORTANT thing is that the "object-group" containing the NAT IP addresses is in the SAME ORDER as the actual source addresses.

What I mean is that the first IP address contained in the above "object-group" will match the first IP address in the newly created "object-group" for the NAT IP addresses.

In the above way you can simply have the same 3 "nat" configurations as before but you will modify/add in the newly created "object-group"

For example, you could do the following

object network SITE1_APP_JCAPS_Dev_VIP_NAT

host 88.88.88.81

object network SITE1_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.82

object network SITE2_APP_JCAPS_Dev_Host_NAT

host 88.88.88.83

object network SITE2_APP_JCAPS_Prod_VIP_NAT

host 88.88.88.84

object network SITE1_APP_PACS_Primary_NAT

host 88.88.88.85

object-group network APP_CLIENT_Hosts_NAT

  network-object object SITE1_APP_JCAPS_Dev_VIP_NAT

  network-object object SITE1_APP_JCAPS_Prod_VIP_NAT

  network-object object SITE2_APP_JCAPS_Dev_Host_NAT

  network-object object SITE2_APP_JCAPS_Prod_VIP_NAT

  network-object object SITE1_APP_PACS_Primary_NAT

Then you would add the following "nat" configurations

nat (inside,outside) 1 source static  APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT destination static CLIENT_Host_1_NAT  CLIENT_Host_1 no-proxy-arp route-lookup

nat  (inside,outside) 2 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT  destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp  route-lookup

nat  (inside,outside) 3 source static APP_CLIENT_Hosts APP_CLIENT_Hosts_NAT  destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp  route-lookup

Notice the line numbers added to the above commands. This will enter them at the top of the ASAs NAT rules and therefore they will become active right away. Without the line numbers they will be used only after when you remove the old lines.

Then you could remove the old ones

no nat (inside,outside) source static  APP_CLIENT_Hosts APP_CLIENT_Hosts destination static CLIENT_Host_1_NAT  CLIENT_Host_1 no-proxy-arp route-lookup

no nat  (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts  destination static CLIENT_Host_2_NAT CLIENT_Host_2 no-proxy-arp  route-lookup

no nat  (inside,outside) source static APP_CLIENT_Hosts APP_CLIENT_Hosts  destination static CLIENT_Host_3_NAT CLIENT_Host_3 no-proxy-arp  route-lookup

This should leave you with 3 "nat" configurations that does NAT for both the source and destination addresses.

Naturally while you do this change you will also have to change the Crypto ACL to match the new source NAT. This is because all NAT is done before any VPN related on the ASA. Therefore destination addresses are UN-NATed before VPN and source addresses are NATed before VPN.

If you would like to make the changes without affecting the connections too much then I would suggest

  • Add the rules to the Crypto ACL for the new source addresses (NAT). This naturally has to be done on both sides of the L2L VPN. You would still be leaving the original configurations to the Crypto ACL to not affect the L2L VPN operation.
  • Add the above new "nat" configurations without the line numbers I mentioned which will mean that they wont be used until you remove the old ones.
  • When you are ready to migrate to use the new IP addresses, simply remove the original "nat" configurations and the ASA will start matching the traffic to the new "nat" configurations. Provided ofcourse that there is no other "nat" configuration before the new ones that might mess things up. This will need to be checked by the person doing the changes.

Naturally if you can afford a small outage during the change then the order in which you do the things should not matter that much. In my work the connections usually arent that critical that you could not make such changes almost at any point as its a matter of minutes that it takes to make the changes.

Hope this made sense and helped

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

Highlighted
Beginner

Re: Source Nat on S2S VPN Question

Thank you, Jouni.  That is the info I needed!  I am going to lab it up this week.  I appreciate your help!