Solved: What's the correct way to PAT outbound on a 5540 for VPN traffic?

jkeeffe · ‎03-01-2011

We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.

The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to help aliviate their concerns, to PAT all of our connections outbound to a single IP address.

How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.

tj.mitchell · ‎03-01-2011

You could try:

object group 159.12.0.0_VPN

network-object 159.12.0.0 255.255.0.0

object group 199.30.36.6_VPN_PAT

host 199.30.36.6

object group remote_location

network-object

nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location

I would give that a shot..You would twice NATting it.. (You would replace "interface","interface" with the actual interface names. You probably already knew that though).

View solution in original post

tj.mitchell · ‎03-02-2011

Is (interface,interface) (outside,inside) or (inside,outside)?

(,)

If the traffic is coming from the inside interface to the outside then -- (inside,outside)

depends on where the traffic is coming from and going to..

View solution in original post

tj.mitchell · ‎03-02-2011

Because it's twice nat..

So with twice nat you can NAT the source and destination traffic. Since we aren't NATting the destination we need to specify it to stay the same.

View solution in original post

tj.mitchell · ‎03-01-2011

You could try:

object group 159.12.0.0_VPN

network-object 159.12.0.0 255.255.0.0

object group 199.30.36.6_VPN_PAT

host 199.30.36.6

object group remote_location

network-object

nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location

I would give that a shot..You would twice NATting it.. (You would replace "interface","interface" with the actual interface names. You probably already knew that though).

jkeeffe · ‎03-02-2011

nat (interface,interface) source dynamic 159.12.0.0_VPN 199.30.36.6_VPN_PAT destination static remote_location remote_location

Is (interface,interface) (outside,inside) or (inside,outside)? Thanks

tj.mitchell · ‎03-02-2011

Is (interface,interface) (outside,inside) or (inside,outside)?

(,)

If the traffic is coming from the inside interface to the outside then -- (inside,outside)

depends on where the traffic is coming from and going to..

jkeeffe · ‎03-02-2011

One last question if you please.

At the end of the command statement, you have: "...destination static remote_location remote_location"

Why is 'remote_location' down twice?

tj.mitchell · ‎03-02-2011

Because it's twice nat..

So with twice nat you can NAT the source and destination traffic. Since we aren't NATting the destination we need to specify it to stay the same.