Solved

Cisco ASA NAT question

Posted on 2013-05-15
5
671 Views
Last Modified: 2013-05-17
Imagine two ASAs connecting via IPSec tunnel over the Internet.  
Inside IP of ASA-1 is 10.10.1.1 while inside IP of ASA-2 is 10.10.2.1.
There is a router inside of ASA-2 at 10.10.2.5.  And on the far side
of that router (let's call it R2) - is network 192.168.77.0/24.  
If I am on a host inside ASA-1 say 10.10.1.100 - I can ping R2
no problem (10.10.2.5).  The encryption domain for ASA-1 says
encrypt any traffic destined for 10.10.2.0 or 192.168.77.0/24.
The encryption domain ASA-2 says encrypt any traffic to 10.10.1.0/24.

Now let's say that R2 only wants to receive traffic from IP addresses
in the 10.10.2.0/24 subnet.  So I add at ASA-2:

static (Outside,inside) 10.10.2.100 10.10.1.100 netmask 255.255.255.255

I want to ping 192.168.77.100 from host 10.10.1.100.  
Would there be any special considerations for the reply traffic being able
to return to 10.10.1.100 over the tunnel?  That is the ICMP Echo Req
hits R2 with source 10.10.2.100 and dest 192.168.77.100.  The
reply comes back to 10.10.2.100 on the ASA.  The ASA would then need to
"un-nat" that to 10.10.1.100 and bring the reply safely home to
10.10.1.100.  Should that work?  I have not had to have this post-tunnel
nat before and would appreciate insight from anyone who might have
done this in the past.  

Thanks!
2013-05-15-16.23.55.jpg
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171076
i'm not sure why you're adding the static command to ASA-2 to be honest.  It sounds like all of that traffic should be part of ACLs that get applied to nat 0.

ASA-1 - nat 0 - 10.10.2.0/24 to 10.10.1.0/24 or 192.168.77.0/24
ASA-2 - nat 0 - 10.10.1.0/24 or 192.168.77.0/24 to 10.10.2.0/24

then make sure each uses those for the crypto map as well which it sounds like you have.  As long as routing working on the R2 to forward packets to the ASA-2 (a default route will work) then you should be fine and be able to ping one another.

or am I missing something?
0
 
LVL 28

Expert Comment

by:asavener
ID: 39171213
The encryption domain for ASA-1 says
encrypt any traffic destined for 10.10.2.0 or 192.168.77.0/24.
The encryption domain ASA-2 says encrypt any traffic to 10.10.1.0/24.
I always make the access lists for my IPSec tunnels exactly reciprocal; I've had trouble bringing up the VPN if this isn't the case.....
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39171224
Should that work?  I have not had to have this post-tunnel
nat before and would appreciate insight from anyone who might have
done this in the past.  
Yes, this will work.  There's an order of operations, and NAT occurs before crypto.  (for outbound traffic.  For inbound traffic it's decrypt then NAT.

You have to make sure not to use an IP address that conflicts with other devices on the 10.10.1.0/24 network, though.  Because of this, NAT'ing the entire subnet will not work.

You might have to adjust any access lists on ASA1.  I honestly can't remember if the VPN traffic gets evaluated, and if so, if it's the original or NAT'd address that's evaluated.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39171362
btw, you'd need to setup a route on the ASA to forward traffic for 192.168.77.0/24 to R2 as well.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39176640
Yes it did.  Thank you for the reminder on the order of operations.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Licensing for Wi Fi 4 82
Can VBS count the number of items in an array 8 93
ASA NAT rule change 3 86
Cisco EAP TLS, ACS and changing Root CA 4 78
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question