cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1483
Views
30
Helpful
21
Replies

VPN setup where they are asking me to NAT

Ok, I am sorry if I explain this poorly but I will try. I was asked to consult on setting up a VPN for a client. They already have 2 VPNs which work fine but when he configured the 3rd VPN it would not work. Through investigating, this is what I had found. 

 

He created the configs for the 3rd vpn just like he did for the other two, thinking this is how it would be configured. When it did not work, that is when he contacted me. When I looked at it, my SA was indicating to me that Phaser 1 and 2 was completed so I decided to check the ACL and read the documentation from the remote side. This is where I get confused.

 

I have control of ASA1 at My-Site. I am connecting via a VPN which I do not have access to and they are being difficult with answering my question. My-Site needs to setup a VPN with the remote-site in order for me to access public IPs which reside on their side. I am only telling you what is being told to me. 

When I looked at the document, it stated for me to and I quote "Source IP Address( IP Assigned to the client to NAT all traffic to x.x.x.x". 

 

I personally think they believe they are talking to the person who is providing the Services and not the end-client trying to obtain the services. However I want to make sure that I am not missing anything. 

So they are requiring that we NAT traffic out traffic, which make no sense to me. They also keep saying that this is a one-way communication and those words do not make any since to me. They are asking that I NAT traffic to a public IP that I do not own. And all my questions get the same loop responses. example:

 

1) Please send over a sample of the configs we should have on our end: "Our ASA is setup as outlined in the VPN form"
2) Why are we NATing if you are not access our Network directly: "It is a source nat to allow the cryptomap endpoint connections to the CMS hosts."
3) How can I NAT to a 104.x.x.x address for IPs that do not sit on our local LAN: Your VPN should have a Source Nat option or Proxy to make the connection.
4) If this a one-way communication, then I need instructions on how to setup a VPN in this fashion: Please contact your VPN vendor on instruction to setup a source Nat.

 

Then he responded with: "If the VPN vendor has a question on source natting please have them reach out to me. We can schedule a call with your engineer and the VPN vendor if needed."

 

Then sent me to this https: link: community.cisco.com/t5/network-security/source-nat-cisco-asa/td-p/2690386

 

Is there a scenario where I would VPN to a remote-site that provides services from a Public IP and on my-site, I would be doing any NATing?

I know this is a wierd question, but do you think the person that I am talking to is believes he is talking to the side that is providing the services. 

I want to make sure that this is not a concept that I am not aware of. 

 

Here is the last response that I got: 

"After discussing this with the team, your engineer will need to engage your VPN vendor to work out how to setup the source Nat to the 104 IP, it is a common setup that they should be able to help with. We do not know how to setup the connection on your side, the reason we are setting up the source nat is the IP we assigned you has been white listed by the Mac to allow the connection, it is our Public Ip we have registered for this purpose. We are doing this number 1 for security, and it also allows us to troubleshoot connection issues with the Mac, a single IP can be traced back to find the issue."

 

This does not seem common to me, from a client-side perspective. Please give your insight

 

 

2 Accepted Solutions

Accepted Solutions

I got this to work finally. I had to configure the ASA as below.....

 

nat (inside,outside) source static 172.1.1.0/24 104.x.x.x destination static 201.1.1.1 201.1.1.1

 

and then I had to add this to the crypto-map:

 

access-list WORD extended permit ip host 104.x.x.x host 201.1.1.1 


I found this method on another post out-side of this  Cisco community. I would have like to have gotton an explanation, which is why I asked the question in the first place, but we do not always get what we ask for.  As an Engineer, a command means nothing to me without the why and the logic behind it. 

I now got the why, the how, and the purpose of the configuration via days of searching. It is a shame I could not get the "why" from the Provider of my desired-services. But in our fields, sometimes were are solo-detectives alone with the wolves. 

 

Thanks for the attemp at this, and I am good to go now. 

 

View solution in original post

No it was not, when I was asking for an explanation, I would like to get one. You are telling me that you gave me the answer already does not help me understand my original disconnect. And I do not see you posting what I posted as my resolution. This was about me asking a question to understand "the why", so I could create the configs and you did not post that.  

Now we are getting into a conversation of who is correct, and I do not engage in those. 

Not to be rude, but when someon ask for an explanation and you are just posting configs, that does not help. 

 

nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static DST DST

 Above is your post, and I do not know what you mean by original or translated host. I got IPs on my local LAN, I got Public IPs on a newtork taht I am getting services from, and I got a 104.x.x.x IP that I have no idea why it is being used. Translated-source could mean more than one thing based on the individual's perspective, and that include the educator. 

And your response was "Glad to see you got it to work but that config is exactly what was suggested?" How does this info help the converstation and No it is not. And that post was not helpful to me at all. 12years in Networking and over 20 in IT, so i am not someone who decided to post a question about technology I never implemented. 

Your response to this post is what made me stop looking for a response here. And not to be rude again, but that is something for everyone to think about. 

 

View solution in original post

21 Replies 21

@00umn103zr1buDSXB5d6 

It is not uncommon to nat VPN traffic to a 3rd party. You need a NAT rule as per the example below.

 

nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static DST DST

 

Just create an object for your local network ORIGINAL-SRC, another object for the source IP address they want you to translate to TRANSLATED-SRC and another object for the destination service you are connecting to DST.

 

The VPN traffic would originate from the translated IP address, so therefore your crypto ACL that defines interesting traffic would need to be configured to use the TRANSLATED-SRC object.

I do not want the translate any address. There are 10 public IPs that I need to get you. Those public IPs are providing services to me. I was told the only way to get those IPs / Services is that I had to setup a VPN with them. 

Based on this info, would you have stated what you just mentioned? 

Also, those IPs, I have to exit my Outside interface to get to them.

I don't see a problem here, it sounds like that's the only way you'll get this access. One reason they may want to NAT traffic is so they don't have overlapping network addresses in their routing table, I can think of other examples.

 

You may need to create multiple NAT rules if you have 10 destinations, ensure you modify the crypto ACL accordingly.

 

Of course the traffic will need routing to the egress (outside) interface, it wouldn't be encrypted otherwise.

 

Ok, let me create a diagram and see if you feel the same way. There is a disconnect here which i am trying to figure out if they are directing me to do something incorrect becuase they are talking to the wrong-side/wrong-person or if it is a lack of understanding of how a perticular techonology works. I will return with a diagram after I install visio

 

Take a look at the diagram please. 

 

On my ASA-Mine, I am being asked to NAT 210.x.x.x, 152.x.x.x and 89.x.x.x to a 104.x.x.x address. 104.x.x.x is not a address that sits on ASA-Mine nor is that public address assigned to me at all. 

I will not be able to access the 201, 152, or 89 addresses until I set up a VPN to the ASA-Remote site. 

I do not own the ASA-Remote site

 

I need to get to the 201, 152, and 89 address to be able to acquire my services. 

 

I got a reply stating: This is a one-way connection we will not connect to your network, IP 104.x.x.x is a public IP that Waystar assigned to your facility to connect to the end points, it should be setup as the local network and the crypto map to the end points listed below.

 

 

This is sound like this person who replied to the above message (I put in quotes) thinks that I am the one who is providing the services to a client. 


However, I am the client trying to obtain services. Does this change your idea of my thought process?

 

Why would I NAT IPs that I am trying to reach as a destination and have to create a VPN to reach those destinations?

 

Meaning in order to reach the Public IPs, I need a VPN (according to them), and on top of that, I have to NAT those same Public IPs?

My initial thoughts haven't changed. As per their comment - "IP 104.x.x.x is a public IP that Waystar assigned to your facility to connect to the end points, it should be setup as the local network and the crypto map to the end points listed below". - They want to receive traffic over the VPN from that IP address they've assigned to you.

 

Configure NAT, translate your original source to the 104.x.x.x IP address that has been assigned to you and use that IP address in the crypto ACL.

I have already tried NATing 172.x.x.x to 104.x.x.x as a static configuration, which did not work, then I removed it after I started thinking about the issue. This makes no sense to me, and 104.x.x.x address does not sit on my ASA nor does any address within the 104 range.

I understand that I can NAT to any address. But I still do not understand why it is being done this way

Also, why would I NAT the 201, 152, and 89 address to a 104 if the 201, 152, and 89 do not sit on my network?

Also, you want me to use the 104 in my Crypto ACL?

 

I have never been asked to do this in the 12years I have been in Networking. Are you telling me this is normal?

Yes, you need to use the translated address in the crypto ACL, I've already mentioned that previously.

 

As I already said, it's not uncommon to do this over a VPN to a 3rd party.

 

Yes, it's Twice NAT.

Telling me that you mentioned it before does not help me understand. If my scenario is possible, I need to know the why.

 

If I have Public IPs that can only be reached via a VPN connection, then why NAT at all? The logic is not clear to me, and I cannot configure it without understanding the why behind it. 

I am still convinced that they are advising me to NAT on addresses that sit on the remote side, and my experience with NAT, and VPNs, I would never do this. 

So the philosophic aspect as me wondering if I am casing a ghost or if there is a method in this scenario that I am completely unaware of

 

 

So please help me understand why I would NAT via a VPN and why I would use a VPN to access Public IPs

 

Why wouldn't they just set up a VPN and a ACL from me to reach those IPs via my Public IP

 

This looks like unnessary layers 

Is this a NAT Twice configuration?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: