?
Solved

ASA 5510 - Config NAT on VPN

Posted on 2006-04-25
7
Medium Priority
?
523 Views
Last Modified: 2013-11-16
Here is my situation.  My company recently purchased out a division of another company.  We have to maintain a link to the old company so that the purchased divisions can maintain communicating to their Oracle instance and keep operating.  I have been able to move a lot of traffic from the old company's network and so our network now looks like at the site I am working on.

Internet <--> [Public IP] ASA5510[10.27.130.2] <--> 2501Router
                                                                                      [10.27.130.3]
                                                                                           ^
                                                                                            |
 Old company <--> 2812 Router[10.27.130.1] <--> LAN [10.27.130.0/24]

The 2501 router is a temporary router that acts as the default gateway for the LAN.  this router just says that for the IP ranges for the old company and Oracle go to the 2812 router, otherwise go to the ASA.

I have remote VPN configured and working on the ASA (I am using the 10.27.230.0/24 range for those clients.  Can ping inside hosts, etc.  Now when I try to ping the oracle server I am willing to bet that the packet is reaching the server, however of course on the return trip thru the old company's network, they have no clue where the 10.27.230.0/24 network is or they have one already and are routing it a different way.  

What I want to do is for certain IP ranges (we'll use 172.16.5.0/24 and 192.168.100.0/24 for examples) when the VPN clients want to communicate with those IP ranges, that there is a PAT done to the 10.27.230.0/24 VPN client to perferably the 10.27.130.2 inside interface of the ASA or to another IP on the LAN that the ASA can proxy for.  

I obviously have no control over the 2812 router and beyond due to it being owned and operated by the other company.

I don't know if it is possible, but what I was thinking was this

nat (outside) 5 10.27.230.0 255.255.255.0
global (inside) 5 10.27.130.100

not sure if that even makes sense, but any help is greatly appreciated.
0
Comment
Question by:Cyclops3590
  • 5
  • 2
7 Comments
 
LVL 25

Author Comment

by:Cyclops3590
ID: 16533807
oops sorry, one thing i forgot to mention was that those commands I was thinking about would of course nat all traffice from VPN clients (if those commands would even work) and of course I would prefer natting only when from 10.27.230.0/24 to specific IP ranges.
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 2000 total points
ID: 16535918
This is similar to what we have done on the following thread:

http://www.experts-exchange.com/Security/Firewalls/Q_21819590.html

I have basically tested config #1 below using PIX version 7.x, since ASA and PIX pretty much
has the same code with some enhancement for the ASA code, it should work just fine.

On config #1, the VPN users which is assigned an IP from the 10.27.230.0/24 subnet will be translated
to 10.27.130.100 whenever it communicates with the internal network which includes the actual LAN and
that of the old company.

On config #2, which I have not tested, the VPN users will be PATted to 10.27.130.100 only if it will communicate
with the old company (1.1.1.0/24).

Hope it  helps

#############################################################################
Variables used:

1.1.1.0/24 represents the old company
2.2.2.0/24 represents the LAN
10.27.130.100 is the PAT ip address used to translate VPN users on the inside

1) Outside NAT only (Tested to be working):


ip local pool vpn_pool 10.27.230.1-10.27.230.254

access-list inside_outbound_nat0_acl permit ip 1.1.1.0 255.255.255.0 10.27.230.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 2.2.2.0 255.255.255.0 10.27.230.0 255.255.255.0

access-list outside_nat deny ip 10.27.230.0 255.255.255.0 any
access-list outside_nat permit ip any any

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (outside) 0 access-list outside_nat OUTSIDE


nat (outside) 2 10.27.230.0 255.255.255.0 OUTSIDE
global (inside) 2 10.27.130.100


2) Combining outside NAT and policy NAT (Not Tested):

ip local pool vpn_pool 10.27.230.1-10.27.230.254

access-list inside_outbound_nat0_acl permit ip 1.1.1.0 255.255.255.0 10.27.230.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 2.2.2.0 255.255.255.0 10.27.230.0 255.255.255.0

access-list outside_nat deny ip 10.27.230.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list outside_nat permit ip any any

access-list policy_nat permit ip 10.27.230.0 255.255.255.0 1.1.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (outside) 0 access-list outside_nat OUTSIDE

nat (outside) 2 access-list policy_nat OUTSIDE
global (inside) 2 10.27.130.100
0
 
LVL 25

Author Comment

by:Cyclops3590
ID: 16536068
Thanks will try this out; however I may not get back to you until Monday. (Taking thurs and fri off so I have to get a ton of other items done before i go)
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 25

Author Comment

by:Cyclops3590
ID: 16536209
one more thing.  i read the other thread and just wanted to rephrase one item to make sure I understood the outside_nat access-list.  with that access-list applied it is basically saying that traffic coming in the outside interface being examined for nonat should ignore traffic going from vpn clients to the old company(since that traffic needs to be handled by a nat entry that will be processed later) but do look at everything else (which means do not nat the traffic).  This is because there would already be static entries or global(outside)/nat(inside) or existing xlate entries to take care of any nat translations that would need to occur, correct?
0
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16546110
Yes, pretty much.
0
 
LVL 25

Author Comment

by:Cyclops3590
ID: 16546277
Thanks.  Also, I'm scheduled to try this change Monday after work so I make sure not to affect day operations.
0
 
LVL 25

Author Comment

by:Cyclops3590
ID: 16596625
I apologize for not posting an update.  I got busy with something else and completely forgot to come back to this.

You can add option 2 to the workable list.  I tried it and it worked on the first try with no problems arising.

Thanks much
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question