VPN no NAT

Bor Marton · ‎01-03-2014

Hi,

I have an ASA 5512 IOS 9.1 3 leg configuration (Inside,outside,dmz).

The goal is:

The web server on my DMZ leg is nated to a public IP.
If I connect a partner with a VPN tunnel, than it can access to the DMZ through the VPN.

If the partner subnet is owerlapping with my DMZ, than I can do a NAT for a specific IP.

My first idea:

nat (dmz,outside) source static WEB-SRV WEB_PUB_IP destination static ALL_PUB_IP ALL_PUB_IP

And if I need a NAT between DMZ and a partner (VPN):

nat (dmz,outside) source static DMZ_SUBNET NOT_OWERLAPPING_SUBNET destination static PARTNER_SUBNET PARTNER_SUBNET

Is it a good way?

Jouni Forss · ‎01-03-2014

Hi,

Without knowing the exact contents of the "object" or "object-group" that you would use in those commands its harder to say.

Your first "nat" configurations seems a bit strange especially when looking at the "destination" objects name? Seems to me to refer to any destination address which would not be needed for a simple L2L VPNs NAT configuration.

The second configuration seems to me like Static Policy NAT that should work if you need to NAT your side.

Typically you configure NAT0 for a L2L VPN connection but if you have overlapping networks then you will probably have to do NAT at both ends of the L2L VPN or do NAT for both source and destination address on your device.

The normal NAT0 configuration format would be

object network DMZ

subnet

object network REMOTE-LAN

subnet

nat (dmz,outside) source static DMZ DMZ destination static REMOTE-LAN REMOTE-LAN

If you wanted to NAT your LAN then it would be

object network DMZ

subnet

object network DMZ-NAT

subnet

object network REMOTE-LAN

subnet

nat (dmz,outside) source static DMZ DMZ-NAT destination static REMOTE-LAN REMOTE-LAN

And so on. If your DMZ subnet overlaps with the remote sides source network then I would suggest that the remote site does a NAT on their side for their network also otherwise the connections wont work.

Exact configuration depends on the networks/IPs you use.

If you only needed configuration for a single server then naturally the above NAT configuration would again be slightly different.

Hope this helps

- Jouni

Bor Marton · ‎01-03-2014

Hi,

my goal is to static nat the servers in my dmz to outside, and no nat if the destination is a remote site (VPN) and if the addresses are overlapping than NAT to an othe IP.

NAT0 for VPN:

nat (dmz,outside) source static DMZ DMZ destination static REMOTE-LAN REMOTE-LAN

overlapping subnet (VPN...):

nat (dmz,outside) source static DMZ DMZ-NAT destination static REMOTE-LAN REMOTE-LAN

But how can I NAT a single DMZ host to outside if hese commands are applyed?

Jouni Forss · ‎01-03-2014

Hi,

I usually configure Static NAT for a server with Auto NAT / Network Object NAT

In this type of NAT we configure the NAT inside an "object network "

Example could be

object network DMZ-WEB

host

nat (dmz,outside) static

In the above we first create the object and then configure the "host" address with the actual DMZ server IP address and in the "nat" command we configure the public NAT IP address.

If your aim is to just configure a simple Static NAT to a public IP address for the users on the Internet then the above should work. It should not matter if you have the NAT0 configuration for the L2L VPN as that only applies to the traffic between the local and remote networks. It doesnt affect the traffic coming from the Internet.

Before doing the final configurations related to the L2L VPN I would confirm if there is any overlap with the local and remote side networks and then configure the NAT as needed. No reason to start creating NAT configurations that you dont need.

- Jouni

Bor Marton · ‎01-03-2014

Hi,

NAT0 for VPN:

nat (dmz,outside) source static DMZ DMZ destination static REMOTE-LAN REMOTE-LAN

overlapping subnet (VPN...):

nat (dmz,outside) source static DMZ DMZ-NAT destination static REMOTE-LAN REMOTE-LAN

dmz to outside:

object network DMZ-WEB

host

nat (dmz,outside) static

The VPN tunnel is terminated on the out side interface, the "dmz to outside" nat all request from the specified host in the DMZ to Outside (to a specified public IP), it is not owerlapping with nat0?

Bor Marton · ‎01-03-2014

Is there any precedence between the concurent NAT rules?!

Jouni Forss · ‎01-03-2014

Also to add a bit,

You naturally have to make sure that depending on what type of NAT you need that the L2L VPNs Crypto ACL configuration corresponds to the NAT you are doing.

On the ASA the NAT (for your source) and UN-NAT (for your destination if doing destination NAT) is done before VPN. This means that a L2L VPN connections Crypto ACL should contain your NATed source network as the source and the real/UN-NATed destination network as the destination.

- Jouni

Bor Marton · ‎01-03-2014

Yes it is clear, thats why i need a nat0...

Bor Marton · ‎01-03-2014

The orders of NAT from your post

"

NAT0 / NAT excemption with access-list
- Example: nat (inside) 0 access-list INSIDE-NAT0
Static NAT/PAT with or without Policy configurations
- Static NAT: static (inside,outside) 1.2.3.4 10.10.10.0 netmask 255.255.255.255
- Static PAT: static (inside,outside) tcp 1.2.3.4 80 10.10.10.10 80 netmask 255.255.255.255
- Static Policy NAT: static (inside,outside) 1.2.3.4 access-list STATIC-POLICY-NAT
Dynamic Policy NAT/PAT
- global (outside) 100 1.2.3.4
- nat (inside) 100 access-list LAN-POLICY-NAT
Dynamic NAT/PAT
- global (outside) 1 1.2.3.4
- nat (inside) 1 10.10.10.0 255.255.255.0

"

So,

NAT0 for VPN:

nat (dmz,outside) source static DMZ DMZ destination static REMOTE-LAN REMOTE-LAN

nat (dmz,outside) source static DMZ DMZ-NAT destination static REMOTE-LAN REMOTE-LAN

object network DMZ-WEB

host

nat (dmz,outside) static

These rules are Static NAT.?

So i need to be careful in the orders of the commands.?

If i confugured 10 host in the dmz to nat outside, and a new costumer is creating an overlapping VPN tunnel than i need to do 10 no static... than a nat0 and again the 10 static?!

Jouni Forss · ‎01-03-2014

Hi,

The NAT order you refer to above are from the old NAT configuration format and you are using the new ASA software so the above does not apply anymore.

In the new software the NAT can pretty much be ordered in any way you want.

But in your situation the NAT0 and Static NAT will have no problem working side by side.

This is because when you configure the NAT0 it clearly specifies that the ASA should not NAT traffic between the DMZ and REMOTE-LAN networks so it only applies to traffic between those networks.

However when connections are coming from the Internet towards a public IP address that is the Static NAT IP address of the DMZ server then the traffic naturally matches that Static NAT rule. The NAT0 configuration can not match traffic coming from the Internet as the traffic from the L2L VPN is probably coming from a Private IP address which does not route on the Internet.

If the REMOTE-LAN users would need to access the DMZ servers with their public IP addresses through the L2L VPN then you naturally would not need the NAT0 configuration for the servers, just the Static NAT. Again, this would need to be taken into account when configuring the L2L VPN

For a perhaps clearer description of the NAT operation in the new software levels (8.3 and newer) I would suggest reading a document I wrote. It doesnt answer all the questions but gives some information about the ordering of the NAT configurations etc.

Heres the link to the document

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Bor Marton · ‎01-03-2014

Thanks you helped me a a lot!