amigan_99
asked on
Cisco ASA NAT question
Imagine two ASAs connecting via IPSec tunnel over the Internet.
Inside IP of ASA-1 is 10.10.1.1 while inside IP of ASA-2 is 10.10.2.1.
There is a router inside of ASA-2 at 10.10.2.5. And on the far side
of that router (let's call it R2) - is network 192.168.77.0/24.
If I am on a host inside ASA-1 say 10.10.1.100 - I can ping R2
no problem (10.10.2.5). The encryption domain for ASA-1 says
encrypt any traffic destined for 10.10.2.0 or 192.168.77.0/24.
The encryption domain ASA-2 says encrypt any traffic to 10.10.1.0/24.
Now let's say that R2 only wants to receive traffic from IP addresses
in the 10.10.2.0/24 subnet. So I add at ASA-2:
static (Outside,inside) 10.10.2.100 10.10.1.100 netmask 255.255.255.255
I want to ping 192.168.77.100 from host 10.10.1.100.
Would there be any special considerations for the reply traffic being able
to return to 10.10.1.100 over the tunnel? That is the ICMP Echo Req
hits R2 with source 10.10.2.100 and dest 192.168.77.100. The
reply comes back to 10.10.2.100 on the ASA. The ASA would then need to
"un-nat" that to 10.10.1.100 and bring the reply safely home to
10.10.1.100. Should that work? I have not had to have this post-tunnel
nat before and would appreciate insight from anyone who might have
done this in the past.
Thanks!
2013-05-15-16.23.55.jpg
Inside IP of ASA-1 is 10.10.1.1 while inside IP of ASA-2 is 10.10.2.1.
There is a router inside of ASA-2 at 10.10.2.5. And on the far side
of that router (let's call it R2) - is network 192.168.77.0/24.
If I am on a host inside ASA-1 say 10.10.1.100 - I can ping R2
no problem (10.10.2.5). The encryption domain for ASA-1 says
encrypt any traffic destined for 10.10.2.0 or 192.168.77.0/24.
The encryption domain ASA-2 says encrypt any traffic to 10.10.1.0/24.
Now let's say that R2 only wants to receive traffic from IP addresses
in the 10.10.2.0/24 subnet. So I add at ASA-2:
static (Outside,inside) 10.10.2.100 10.10.1.100 netmask 255.255.255.255
I want to ping 192.168.77.100 from host 10.10.1.100.
Would there be any special considerations for the reply traffic being able
to return to 10.10.1.100 over the tunnel? That is the ICMP Echo Req
hits R2 with source 10.10.2.100 and dest 192.168.77.100. The
reply comes back to 10.10.2.100 on the ASA. The ASA would then need to
"un-nat" that to 10.10.1.100 and bring the reply safely home to
10.10.1.100. Should that work? I have not had to have this post-tunnel
nat before and would appreciate insight from anyone who might have
done this in the past.
Thanks!
2013-05-15-16.23.55.jpg
The encryption domain for ASA-1 saysI always make the access lists for my IPSec tunnels exactly reciprocal; I've had trouble bringing up the VPN if this isn't the case.....
encrypt any traffic destined for 10.10.2.0 or 192.168.77.0/24.
The encryption domain ASA-2 says encrypt any traffic to 10.10.1.0/24.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
btw, you'd need to setup a route on the ASA to forward traffic for 192.168.77.0/24 to R2 as well.
ASKER
Yes it did. Thank you for the reminder on the order of operations.
ASA-1 - nat 0 - 10.10.2.0/24 to 10.10.1.0/24 or 192.168.77.0/24
ASA-2 - nat 0 - 10.10.1.0/24 or 192.168.77.0/24 to 10.10.2.0/24
then make sure each uses those for the crypto map as well which it sounds like you have. As long as routing working on the R2 to forward packets to the ASA-2 (a default route will work) then you should be fine and be able to ping one another.
or am I missing something?