Solved: Re: VPN setup where they are asking me to NAT - Page 2

00umn103zr1buDSXB5d6 · ‎06-24-2021

Ok, I am sorry if I explain this poorly but I will try. I was asked to consult on setting up a VPN for a client. They already have 2 VPNs which work fine but when he configured the 3rd VPN it would not work. Through investigating, this is what I had found.

He created the configs for the 3rd vpn just like he did for the other two, thinking this is how it would be configured. When it did not work, that is when he contacted me. When I looked at it, my SA was indicating to me that Phaser 1 and 2 was completed so I decided to check the ACL and read the documentation from the remote side. This is where I get confused.

I have control of ASA1 at My-Site. I am connecting via a VPN which I do not have access to and they are being difficult with answering my question. My-Site needs to setup a VPN with the remote-site in order for me to access public IPs which reside on their side. I am only telling you what is being told to me.

When I looked at the document, it stated for me to and I quote "Source IP Address( IP Assigned to the client to NAT all traffic to x.x.x.x".

I personally think they believe they are talking to the person who is providing the Services and not the end-client trying to obtain the services. However I want to make sure that I am not missing anything.

So they are requiring that we NAT traffic out traffic, which make no sense to me. They also keep saying that this is a one-way communication and those words do not make any since to me. They are asking that I NAT traffic to a public IP that I do not own. And all my questions get the same loop responses. example:

1) Please send over a sample of the configs we should have on our end: "Our ASA is setup as outlined in the VPN form"
2) Why are we NATing if you are not access our Network directly: "It is a source nat to allow the cryptomap endpoint connections to the CMS hosts."
3) How can I NAT to a 104.x.x.x address for IPs that do not sit on our local LAN: Your VPN should have a Source Nat option or Proxy to make the connection.
4) If this a one-way communication, then I need instructions on how to setup a VPN in this fashion: Please contact your VPN vendor on instruction to setup a source Nat.

Then he responded with: "If the VPN vendor has a question on source natting please have them reach out to me. We can schedule a call with your engineer and the VPN vendor if needed."

Then sent me to this https: link: community.cisco.com/t5/network-security/source-nat-cisco-asa/td-p/2690386

Is there a scenario where I would VPN to a remote-site that provides services from a Public IP and on my-site, I would be doing any NATing?

I know this is a wierd question, but do you think the person that I am talking to is believes he is talking to the side that is providing the services.

I want to make sure that this is not a concept that I am not aware of.

Here is the last response that I got:

"After discussing this with the team, your engineer will need to engage your VPN vendor to work out how to setup the source Nat to the 104 IP, it is a common setup that they should be able to help with. We do not know how to setup the connection on your side, the reason we are setting up the source nat is the IP we assigned you has been white listed by the Mac to allow the connection, it is our Public Ip we have registered for this purpose. We are doing this number 1 for security, and it also allows us to troubleshoot connection issues with the Mac, a single IP can be traced back to find the issue."

This does not seem common to me, from a client-side perspective. Please give your insight

00umn103zr1buDSXB5d6 · ‎06-24-2021

I got this to work finally. I had to configure the ASA as below.....

nat (inside,outside) source static 172.1.1.0/24 104.x.x.x destination static 201.1.1.1 201.1.1.1

and then I had to add this to the crypto-map:

access-list WORD extended permit ip host 104.x.x.x host 201.1.1.1

I found this method on another post out-side of this Cisco community. I would have like to have gotton an explanation, which is why I asked the question in the first place, but we do not always get what we ask for. As an Engineer, a command means nothing to me without the why and the logic behind it.

I now got the why, the how, and the purpose of the configuration via days of searching. It is a shame I could not get the "why" from the Provider of my desired-services. But in our fields, sometimes were are solo-detectives alone with the wolves.

Thanks for the attemp at this, and I am good to go now.

Rob Ingram · ‎06-24-2021

@00umn103zr1buDSXB5d6

Glad to hear it is working, but that configuration is exactly what was suggested in the first response.

00umn103zr1buDSXB5d6 · ‎06-24-2021

No it was not, when I was asking for an explanation, I would like to get one. You are telling me that you gave me the answer already does not help me understand my original disconnect. And I do not see you posting what I posted as my resolution. This was about me asking a question to understand "the why", so I could create the configs and you did not post that.

Now we are getting into a conversation of who is correct, and I do not engage in those.

Not to be rude, but when someon ask for an explanation and you are just posting configs, that does not help.

nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static DST DST

Above is your post, and I do not know what you mean by original or translated host. I got IPs on my local LAN, I got Public IPs on a newtork taht I am getting services from, and I got a 104.x.x.x IP that I have no idea why it is being used. Translated-source could mean more than one thing based on the individual's perspective, and that include the educator.

And your response was "Glad to see you got it to work but that config is exactly what was suggested?" How does this info help the converstation and No it is not. And that post was not helpful to me at all. 12years in Networking and over 20 in IT, so i am not someone who decided to post a question about technology I never implemented.

Your response to this post is what made me stop looking for a response here. And not to be rude again, but that is something for everyone to think about.

00umn103zr1buDSXB5d6 · ‎06-24-2021

I even asked you to "please help me understand this"....... indicating that your original post was not clear enough for me, nor was it helping me. So I went else where to recieve the help that I needed and got the resolution. Then I came back here to help others who might have the same issue as I did.

I did not hear back from you until you wanted to point out how your post was the answer in the first place. Not cool

Rob Ingram · ‎06-24-2021

@00umn103zr1buDSXB5d6

Your long first post would have put most people off responding (here are suggestions on how to ask a question in the community), I replied with a suggestion on how to configure nat without knowing your source network, the translated IP address nor the destination IP address.

Why the supplier wanted to configure the VPN like this, is a question for the provider. I provided an example "One reason they may want to NAT traffic is so they don't have overlapping network addresses in their routing table, I can think of other examples." - No one on here can tell you why they wanted it configured this way, we can only make an educated guess and hopefully provide your with the configuration required to get you working.

Ultimately, this is not TAC, responses on here are provided for free by anyone around their own work/life commitments. Replies to your posts were fit in between my work commitments, I was not on standby waiting for each of your replies.

00umn103zr1buDSXB5d6 · ‎06-24-2021

Like I said, I got 12year in Networking, and this is not my first post on Cisco Community. This was not a question for TAC. To end it, I say you are correct and move forward.

Thank you for you time with my issue

nagrajk1969 · ‎06-27-2021

Hi

Just to give credit where it is due and TO SAY THANK YOU TO "ROB INGRAM" FOR YOUR TIME AND EFFORT TO PROVIDE HELP AND SOLUTIONS FOR THE USERS OF THIS COMMUNITY

What was suggested by Rob Ingram in his response

nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static DST DST

is ABSOLUTELY CORRECT AND "THE" SOLUTION that was needed to be applied for solving this issue reported here.

What is kindly requested from and in fact very much needed from "103zr1buDSXB5d6" the original reporter of this issue is to set aside your ego (about you having 12 years in networking, etc etc etc) and should be humble/modest to accept that what "Rob Ingram" had suggested at the very begining of the discussions was the solution and correct

You are mentioning that you have 12 years of networking experience, and you have been working on Cisco Appliances (such as ASA too i guess???) for many years...and yet you have mentioned in your own words that you don't understand what is original-source, translated-source, etc etc

And then you are arguing and refusing to acknowledge by saying a simple humble thank you to Rob Ingram for his correct solution that he provided after spending time and trying to understand your deployment/configurations. YOU HAVE INSULTED ROB INGRAM AND ALL OTHER COMMUNITY MEMBERS WITH YOUR THANKLESS-RESPONSE/COMMENTS

You say you dont intend to be "rude" but iam truly sorry, somebody needs to awaken you "from your 12 years of networking experience and what not that you mentioned". Knock Knock, please wake up, your 12 years of working in networking has been a complete waste"

no thanks