Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
15
Helpful
6
Replies

Why do we need Nat over VPN in site to site VPN?

Louey
Level 1
Level 1

‎03-20-2021 06:59 AM

Hi everyone,

 

We're building a new IPsec tunnel in my company and I wanted to know why we would use NAT over this VPN.

 

I know that is useful for overlapping subnets but in our case it is not the case. So in what could be helpful.

 

Thank in advance.

 

Regardes

Louey

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎03-20-2021 07:07 AM

Hi @Louey 

You are probably referring to a NAT exemption rule. Without this rule your traffic over the VPN maybe unintentially natted by an existing rule. The NAT exemption rule, basically allows you to exclude the VPN traffic from being translated with NAT.

Sheraz.Salim
VIP
VIP

‎03-21-2021 02:42 AM

NAT exemption bypass address translation for the network entities identified by an ACL. NAT exemption allows both inside and outside host to initiate traffic without their source address/es being translated.

 

nat (LAN,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE no proxy arp route-lookup

 

Essentially the above configuration tells the ASA that

  • Were doing NAT between LAN and WAN interfaces
  • The network defined under LOCAL should stay unchanged when the destination is the network defined under REMOTE (which is also unchanged, as in no NAT performed for destination either)
 

 

please do not forget to rate.
0 Helpful

chadbaird2431
Level 1
Level 1

‎03-22-2021 06:04 AM - edited ‎03-22-2021 06:10 AM

You can also just use nat to hide the inside ip address, I do this regularly. But it all remains the same; you have to do/have a nat rule. You also need an access list for every nat rule. Which is probably created with the vpn config but you need to look for it and add it if it's not there. Packet tracer and splunk are my best friends at work. (edit)-( LOL, this is IPsec to my moms house from my lab, she's a good sport)

 

This is what it really does:   nat (extranet-dmz, inside) source static Obj_remote_local Obj_translated obj_local Obj_translated  

 

Then.. Access-list extended permit tcp inside Obj_remote_local obj_local eq 80(or whatever port)

 

Then.. sometimes you have to add a route on the FW to point back to the outside interface like..   route outside (making this subnet up) 192.168.0.0 255.255.255.0 198.123.123.10 or you can use reverse route injection (RRI) to advertise the route.

 

So look at Xlates, look at pack tracer and for your sanity, install splunk somewhere. I cant read that fast..  

 

Here's packet tracer output for a VPN from my 5506 to another 5506.  Uh, it looks like this is hitting this ACL I put inbound on the inside interface just fooling around; I had a very specific ACL... It's a lab so stuff is always changing but anyways; this is what you should see.. All the ACL's and nat rules concerning the path. 

 

Sh Xlate 

5506-Firepower# sh xlate | i 192.168.0
NAT from outside:192.168.4.0/24, 192.168.0.0/24 to inside:192.168.4.0/24,
192.168.0.0/24
NAT from outside:192.168.0.0/24 to inside:192.168.0.0/24

 

Now if I was to look in packet tracer look at phase 2. and 9 

Untranslate 192.168.1.254/443 to 192.168.1.254/443

It'll Translate in Phase 9

Static translate 172.20.0.23/1234 to 172.20.0.23/1234

 

5506-Firepower# packet-tracer input inside tcp 172.20.0.23 1234 192.168.1.254 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Colo_VPN_subnet Colo_VPN_subnet destination static Mom_192.168.1.0 Mom_192.168.1.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.1.254/443 to 192.168.1.254/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Colo_VPN_subnet Colo_VPN_subnet destination static Mom_192.168.1.0 Mom_192.168.1.0 no-proxy-arp route-lookup
Additional Information:
Static translate 172.20.0.23/1234 to 172.20.0.23/1234

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map firepower_class_map
match any
policy-map global_policy
class firepower_class_map
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Colo_VPN_subnet Colo_VPN_subnet destination static Mom_192.168.1.0 Mom_192.168.1.0 no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23105286, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Sheraz.Salim
VIP
VIP
In response to chadbaird2431

‎03-22-2021 09:45 AM

on top you can do a layer7 inspection by using FMC. known as a deep packet inpspection. using a firewpower sfr in ASA unit.

please do not forget to rate.

chadbaird2431
Level 1
Level 1
In response to Sheraz.Salim

‎03-24-2021 02:24 PM

Question Sheraz; my apologies in advance to the OP for hijacking the thread.

 

This ASA is running firepower in-line; the   VPN traffic appears to go through the SFR, is this what your talking about? It’s in phase 7? Or does DPI require an ssl cert? I could look it up but it’s a cool topic. 

C

0 Helpful

Sheraz.Salim
VIP
VIP
In response to chadbaird2431

‎03-24-2021 03:02 PM

In order to work the sfr with ASA code you have to let pass the traffic through sfr module for layer 7 inspection. I have seen some deployments where the requirement is not to inspect the traffic (by pass the sfr).

but yes I was talking about the sfr module. To answer your question for the DPI does not require the ssl cert.

please do not forget to rate.
Customers Also Viewed These Support Documents