Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2183
Views
10
Helpful
8
Replies

VPN IPSec and NAT

chaserf9e
Level 1
Level 1

‎12-23-2014 01:57 PM - edited ‎02-21-2020 08:00 PM

So I need any ideas on best way to achieve this, i can think of a few but don't know which will be best. here goes

I have a local network of 10.9.0.0/20 and need to create a bidirectional IPSec tunnel to a client site, they want me to present to them a 172.16.17.0/24 address over the IPSec, my thinking for ease is going to be to create the tunnel with the local and remote network above then create a dynamic NAT pool (many to many) that will translate any 10.9.0.0 address to a 172.16.17.0 address. is there any better way to do this ?

thanks in advance 

 

Labels:
0 Helpful
8 Replies 8

Eugene Khabarov
Level 7
Level 7

‎12-25-2014 07:15 AM

If I understood your question correctly than my solution will be to create SVTI (ipsec virtual tunnel interface), configure it with "ip nat outside" and then translate  10.9.0.0/20 to the nat pool 172.16.17.0/24. It seems an easy task

chaserf9e
Level 1
Level 1
In response to Eugene Khabarov

‎01-05-2015 01:23 PM

so the issue is that i have to send the IP from site 1 to site 2 as 172.16.17.0/24 over the ipsec. i have no access to site 2 or any of it's equipment (it is at a client) from what i know i could do it using SVTI but wouldnt the other site (site 2) need a 172.16.17.0/25 address. the only thing they have set or can set is a  remote network of 172.16.17.0/24

0 Helpful

Abaji Rawool
Level 3
Level 3

‎01-05-2015 11:04 PM

Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)

Configure the NAT.  Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)


access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255

Create a route-map called 'static-nat' and match traffic to ACL 101:
route-map static-nat
  match ip address 101

Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to 172.16.17.0:


ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0

Create a NAT rule to use the route-map 'static-nat'.  Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:


ip nat inside source route-map static-nat pool NAT-POOL Overload

Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic' 


access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255


Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
 set peer <peer ip>
 set transform-set <transform set>
 match address 121


Apply the crypto map to the public interface and NAT on the public side:


interface GigabitEthernet0/0
 ip nat outside
crypto map VPN

Configure the inside interface NAT on internal side:


interface GigabitEthernet0/1
 ip address 10.9.0.0 255.255.255.0
 ip nat inside

 

HTH

chaserf9e
Level 1
Level 1
In response to Abaji Rawool

‎01-06-2015 05:22 AM

thanks for your reply when trying this on the ASA i get invalid input as below

 

ASA5510-02(config)# ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask /24
                        ^
ERROR: % Invalid input detected at '^' marker.

0 Helpful

Poonam Garg
Level 3
Level 3
In response to chaserf9e

‎01-06-2015 06:36 AM

Can you please tell which ASA software version you are using, as NAT configuration have different syntax on version 8.3 and below versions.

chaserf9e
Level 1
Level 1
In response to Poonam Garg

‎01-06-2015 07:03 AM

it is 9.1.5

0 Helpful

Poonam Garg
Level 3
Level 3
In response to chaserf9e

‎01-06-2015 07:52 AM

For doing one to one NAT, make sure your real subnet and NATTED subnet mask must be same..

You need to configure Manual NAT statement on your firewall.For example:

1. First create network objects, refer them in NAT statement.

Object network obj-10.9.0.0

subnet 10.9.0.0 255.255.255.0

Object network obj-172.16.17.0

subnet 172.16.17.0 255.255.255.0

Object network destination_network

subnet x.x.x.x x.x.x.x

nat(inside,outside) source static obj-10.9.0.0 obj-172.16.17.0 destination static destination_network destination_network

2. Now define the interesting traffic using the source as natted ip.

access-list new ext permit ip 172.16.17.0 255.255.255.0 x.x.x.x x.x.x.x

3. Refer this access-list in crypto map configured for the peer.

 

HTH

Please do rate useful posts

Abaji Rawool
Level 3
Level 3
In response to chaserf9e

‎01-06-2015 07:39 AM

Hi,

I provided the configuration, assuming it is a IOS Router. For ASA you need to have policy based NAT.

You can refer this thread for similar example: https://supportforums.cisco.com/discussion/11128851/policy-based-nat-asa-841

 

Regards,

Abaji.

Customers Also Viewed These Support Documents