Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
5
Replies

Vendor requires remote subnet to be NAT'd to a Public IP

n00bUser
Level 1
Level 1

‎01-25-2022 01:59 PM

Hello Community,

 

I've been trying to find a resolution for an issue I am working on. The vendor requires us to have a Site-to-Site IPsec tunnel but the internal IPs are to be NAT'd to a public IP.

I am aware I need to implement twice NAT and I know how to do this on code 8.3+ but unfortunately, the ASA is running 8.2. I know it should be upgraded to save us some headache, but, currently that is not an option.

 

Can someone provide me with an example of how these configurations for a policy nat should be for code 8.2?

 

Also, are we able to use object groups for this? They have a couple of IPs for the remote network and we have a couple of IPs for our internal network:

 

(Cleaned Up, not actual IPs)

Remote: 20.20.1.1 and 50.50.1.1

Local: 192.20.1.20 and 172.16.1.20

Translated IP: 200.20.20.15

 

 

Labels:
0 Helpful
5 Replies 5

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎01-26-2022 02:05 PM

Hi @n00bUser,

You should really upgrade this as it is very old, and to be assumed, vulnerable SW release, while at same time, your device is Internet exposed.

Now, having that said, I believe your confiuration should look something like this:

1. You need to match relevant traffic:

access-list NAT-ACL extended permit ip host 192.20.1.20 host 20.20.1.1
access-list NAT-ACL extended permit ip host 192.20.1.20 host 50.50.1.1
access-list NAT-ACL extended permit ip host 172.16.1.20 host 20.20.1.1
access-list NAT-ACL extended permit ip host 172.16.1.20 host 50.50.1.1

2. You need to define global/public IP that you'll use, and relevant outbound interface:

global (outside) 1 200.20.20.15

3. You need to tie these two together, along with relevant inbound interface:

nat (inside) 1 access-list NAT-ACL

BR,

Milos

0 Helpful

n00bUser
Level 1
Level 1
In response to Milos_Jovanovic

‎01-26-2022 06:46 PM

Hi Milos,

 

Yes, I completely agree with you on the upgrades and a complete refresh is in the works!

 

I see what I was missing, with the ACLs. I'll give this a shot!

Thank you!

0 Helpful

n00bUser
Level 1
Level 1
In response to Milos_Jovanovic

‎01-27-2022 09:15 AM - edited ‎01-27-2022 09:17 AM

Milos,

 

So I am a little confused with the NAT because there already is one configured on the outside interface. I've attempted to add an ID so higher so I wouldn't break things during the day. We have the following:

 

nat (inside) 10 access-list NAT-Inside

nat(inside) 15 access-list NAT-VPN-Vendor

 

global (outside) 10 interface

global (outside) 15 200.20.20.15

 

When I do a packet tracer, it shows that its hitting NAT ID 10, would I have to change the ID to a lesser value? My initial though would be, the ASA will start with 0 and work its way up, so this would potential break things. Am I proper to say this?

 

Thank you,

0 Helpful

Peter Koltl
Level 7
Level 7
In response to n00bUser

‎01-27-2022 01:59 PM

NAT-VPN-Vendor ACL is more specific so the new rule should be before line 10.

NAT-inside ACL matches all traffic and line 15 is never hit.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to Peter Koltl

‎01-27-2022 11:05 PM

As @Peter Koltl  already noticed, since your ACL NAT-inside already matches this traffic, then NAT #10 is used, and it never comes to #15.

If NAT-VPN-Vendor is more specific rule (which it must be), then place it before.

BR,

Milos

0 Helpful
Customers Also Viewed These Support Documents