Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
5
Replies

Static NAT one-to-one overlapping VPN

Go to solution
MarcoM
Level 1
Level 1

‎11-15-2016 11:46 PM

Hello everyone, i have a question about NAT (8.4+) on a vpn l2l. i am in a situation where my network overlaps with that remote site. I wish that when a host on my lan (192.168.31.114) needs to reach a remote host (192.168.247.1) on vpn tunnel is natted on a single address 192.168.199.1 I have defined these object : object network HOST_LAN host 192.168.32.114 object network LAN_NATTED host 192.168.199.1 object network REMORE_HOST host 192.168.247.1 nat (LAN,OUTSIDE) 5 source static HOST_LAN LAN_NATTED destination static REMORE_HOST REMORE_HOST net-to-net but it seems not work, could you help me kindly? what am I doing wrong? Thanks in advance.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to MarcoM

‎11-16-2016 10:33 AM

Your nat statement does not match the one you posted earlier and is incorrect.

nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup

Inbound interface should be inside, Original Source Ip should be HOST_LAN and route-lookup is not required.

This should do the trick:

nat (INSIDE,OUTSIDE) 6 source static HOST_LAN LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Oliver Kaiser
Level 7
Level 7

‎11-16-2016 01:52 AM

net-to-net is not required, but should not be an issue. Make sure your SA contains 192.168.199.1 (or the whole /24 depending on your configuration) using show crypto ipsec sa and check your translation table using show xlate to verify NAT is being applied.

You may also use the packet-tracer command to verify that your NAT rule matches for traffic from HOST_LAN to REMOTE_HOST.

Let me know the results and if you need anything else to track this down.

0 Helpful

Go to solution
MarcoM
Level 1
Level 1
In response to Oliver Kaiser

‎11-16-2016 10:19 AM

Hi kaisero,

thanks for answer.

On tunnel vpn there will be only one host 192.168.199.1 and not a subnet, same thing for the remote network where it will always be a single host on tunnel.

do you think that the nat configuration is correct?

Thanks.

0 Helpful

Go to solution
MarcoM
Level 1
Level 1
In response to Oliver Kaiser

‎11-16-2016 10:27 AM

I add also the SA configuration (ip public is not the original one):     

access-list OUTSIDE_cryptomap line 1 extended permit ip object LAN_NATTED object REMORE_HOST
      group-policy GroupPolicy_8.8.8.8 internal
      group-policy GroupPolicy_8.8.8.8 attributes
        vpn-tunnel-protocol ikev2 ikev1
      exit
      tunnel-group 8.8.8.8 type ipsec-l2l
      tunnel-group 8.8.8.8 general-attributes
        default-group-policy GroupPolicy_8.8.8.8
      tunnel-group 8.8.8.8 ipsec-attributes
        ikev1 pre-shared-key **********
        ikev2 remote-authentication pre-shared-key **********
        ikev2 local-authentication pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto ikev2 policy 1
        group 2 5
        encryption aes-256
      crypto ikev2 policy 10
        group 2 5
        encryption aes-192
      crypto ikev2 policy 20
        group 2 5
        encryption aes
      crypto ikev2 policy 30
        group 2 5
      crypto ikev2 policy 40
        group 2 5
        encryption des
      crypto ikev2 enable OUTSIDE
      crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
      crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
      crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
      crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
      crypto ipsec ikev2 ipsec-proposal AES256
        protocol esp encryption aes-256
        protocol esp integrity sha-1 md5
      crypto ipsec ikev2 ipsec-proposal AES192
        protocol esp encryption aes-192
        protocol esp integrity sha-1 md5
      crypto ipsec ikev2 ipsec-proposal AES
        protocol esp encryption aes
        protocol esp integrity sha-1 md5
      crypto ipsec ikev2 ipsec-proposal 3DES
        protocol esp encryption 3des
        protocol esp integrity sha-1 md5
      crypto ipsec ikev2 ipsec-proposal DES
        protocol esp encryption des
        protocol esp integrity sha-1 md5
      crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
      crypto map OUTSIDE_map 1 set  peer  8.8.8.8
      crypto map OUTSIDE_map 1 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
      crypto map OUTSIDE_map 1 set  ikev2 ipsec-proposal  AES256 AES192 AES 3DES DES
      nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to MarcoM

‎11-16-2016 10:33 AM

Your nat statement does not match the one you posted earlier and is incorrect.

nat (OUTSIDE,OUTSIDE) 6 source static LAN_NATTED LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp route-lookup

Inbound interface should be inside, Original Source Ip should be HOST_LAN and route-lookup is not required.

This should do the trick:

nat (INSIDE,OUTSIDE) 6 source static HOST_LAN LAN_NATTED destination static REMORE_HOST REMORE_HOST no-proxy-arp

0 Helpful

Go to solution
MarcoM
Level 1
Level 1
In response to Oliver Kaiser

‎11-16-2016 11:09 PM

I used packet-tracer command to verify that NAT rule matches:

ASA-D01# packet-tracer input LAN tcp 192.168.32.114 http 192.168.247.1 http

Result:
input-interface: LAN
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

0 Helpful
Customers Also Viewed These Support Documents