Solved: Re: ASA SIte to Site VPN with NAT

Bmodlin · ‎11-20-2017

I have to setup a site to site VPN between 2 ASAs. One ASA is required to NAT the source network (local) (192.168.10.0/28) out the VPN tunnel as (10.10.10.8/28). I am unclear on how to accomplish this. How do I create these NATs for the VPN , while continuing to NAT the normal (Non-VPN) traffic from that same local subnet out as it is now?

Karsten Iwen · ‎11-21-2017

You need to configure twice-NAT (here it's a policy-NAT) here. The source is translated from the object containing the network 192.168.10.0/28 to an object containing the network 10.10.10.X/28 (btw: .8 is not a valid network for a /28 subnet). In the NAT rule you also configuring a destination object of the remote-network which NATs to itself. It could look like the following:

nat (inside,outside) source static obj-192.168.10.0 obj-10.10.10.x destination static REMOTE-NET REMOTE-NET

You crypto-definition has to use the 10.10.10-network, not the 192.168.10.

View solution in original post

Karsten Iwen · ‎11-21-2017

You need to configure twice-NAT (here it's a policy-NAT) here. The source is translated from the object containing the network 192.168.10.0/28 to an object containing the network 10.10.10.X/28 (btw: .8 is not a valid network for a /28 subnet). In the NAT rule you also configuring a destination object of the remote-network which NATs to itself. It could look like the following:

nat (inside,outside) source static obj-192.168.10.0 obj-10.10.10.x destination static REMOTE-NET REMOTE-NET

You crypto-definition has to use the 10.10.10-network, not the 192.168.10.

Bmodlin · ‎11-22-2017

Ok, thank you. This makes sense. My next question is how to configure the one to one NATs over the VPN. For example, lets say I have ServerA (192.168.10.10) that needs to be NATTed over the VPN as 10.10.10.10, but also needs to be NATTed as 71.71.17.17 out to the public internet.

How would I accomplish that?

Karsten Iwen · ‎06-04-2020

Here you have to think about the order of the NAT processing.

If you want to NAT a specific host through the VPN, this statement has to be placed before the NAT-exemption in section 1.

The specific NAT to the internet has to be placed before the general PAT to your interface or PAT pool. I always put these statements in section 3.

buffkata · ‎06-05-2020

Yes, but I am using destination nat. I need to nat the local network when going over the VPN.
example:
nat (inside,outside) source static OBJ-10.10.10.0 OBJ-192.168.0.0 destination static OBJ-172.16.0.0 OBJ-172.16.0.0
access-list cryptoACL extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
Phase 1 and 2 are completed.... sh nat shows nat rule have been hit but no traffic and no hitcounts on the cryptoACL.

Karsten Iwen · ‎06-05-2020

What does a simulation in Packet-Tracer show you?

buffkata · ‎06-05-2020

ASA1 packet tracer shows VPN allowed - packets are send and I see encaps but no decaps - i think this side is configured corectly. ...ASA1 has a noNAT rule(NAT exemption)

ASA2 packet tracer shows ACL drop - this is were the NAT (10.10.10.0 to 192.168.0.0)rule is applied.

Karsten Iwen · ‎06-05-2020

Does the Drop happen in the Interface ACL? Then check that and allow the traffic accordingly.

buffkata · ‎06-05-2020

Hmm .. I dont manage the remote ASA2 but will check next time when I get a chance. Seams to me that because the traffic comes from their "inside" interface it should be allowed by default ( but like I said I will check ).

buffkata · ‎06-04-2020

Thank you - That is correct - This is the first time I am building this VPN and I setup the correct NAT (per your recomendations ) but somehow I dont see hitcounts on the cryptoACL and the packets are send over the outside interface but not over the VPN ?
Do you have any Ideas why this is happening ?

dgibelli · ‎11-06-2022

I have the same issue trying to source NAT traffic going to a remote site using VPN. I have found that you need to specify any instead of the interface where the tunnel terminates, see below:

nat (inside,outside) source static any NAT_Hide destination static 172.16.50.236 172.16.50.236 <----traffic is NAT'ed but goes out the outside interface not the tunnel

nat (inside,any) source static any NAT_Hide destination static 172.16.50.236 172.16.50.236 <----traffic is NAT'ed and goes out via the tunnel

I tested with 9.12(4) and 9.9(2)

suman20kundu@yahoo.co.in · ‎12-08-2022

Please help me on this. I have ASA and my internal IP is 10.0.0.0/24 (LAN and RA VPN IP range) and my destination is 192.168.1.1/32, now I want to communication between them via site-to-site VPN but when I need to send the traffic to 192.168.1.1 it should be convert 11.0.0.0/24.