Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA PIX Multiple NAT Statements

Posted on 2014-12-10
5
Medium Priority
?
225 Views
Last Modified: 2015-01-07
I have a host on which I have IIS running and it therefore needs to be publicly accessible on TCP80/443.

I now also need this host to be accessible over an IPSec VPN tunnel, also on TCP80/443.

The remote end requires me to source NAT my host and I therefore need the following.

1. Host A NATs to public IP x.x.x.x under normal circumstances.
2. Host A NATs to private IP y.y.y.y only when passing traffic over the IPSec tunnel.

How do I configure this ?

I originally had a static NAT statement mapping host A to y.y.y.y. If I try to add a second NAT statement using an ACL which specifies host A and the remote subnets I get an overlap error.

If I remove both statements and enter the NAT statement with the ACL first followed by the statement mapping host A to y.y.y.y I get the same error.

How can I configure it to NAT to different IP addresses based on different destinations ?

TIA
0
Comment
Question by:ccfcfc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:James H
ID: 40491814
OK. You definitely need to NAT from public to Host A, that's a given.
Why did you feel you needed to NAT the IPSec? As long as you enable Reverse routing, it will forward those packets out the same interface.  The ACL you configure as required but what happens to the remote network with the NAT statement removed? Is the tunnel configured to pass that traffic across? Can you show any logs?
0
 

Author Comment

by:ccfcfc
ID: 40491850
The remote side has imposed a subnet on us.

We need to NAT to addresses within this subnet that they have provided us for traffic going over the IPSec tunnel to meet with their addressing requirements, so I don't have the option of not doing this.

There isn't any logging to show yet as when I try to enter the second NAT statement I get the error message about an overlap.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40491916
You need to configure (nat exemption) an access-list and apply it to your NAT statement so that the IP addresses or subnets listed in the ACL are exempt from the NAT.

The configuration is different for 8.2 and earlier and 8.3 and later.
0
 

Author Comment

by:ccfcfc
ID: 40492659
NAT exemption is what I would normally be applying to traffic passing over an IPSec tunnel.

This isn't NAT exemption - the third party at the remote side is dictating the address that I need to NAT my side to. I cannot just NAT exempt it to use my private IP addresses - I have to NAT it to the addresses that I have been provided.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 40492712
NAT rules are processed in order.  Can you place this rule above your current NAT rule?

nat (outside,outside) source static REMOTE_IP NEW_PUBLIC destination static NEW_PUBLIC CURRENT_PUBLIC

nat(outside,outside) source static CURRENT_PUBLIC NEW_PUBLIC destination static NEW_PUBLIC REMOTE_IP

or

nat(inside,outside) source status REMOTE_IP NEW_PUBLIC destination static NEW_PUBLIC INSIDE_IP

nat(outside,inside) source static INSIDE_IP NEW_PUBLIC destination static NEW_PUBLIC REMOTE_IP
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question