Link to home
Start Free TrialLog in
Avatar of MCP200
MCP200

asked on

Site-To-site VPN Natting inbound traffic?

Hi,

I am setting up site-to-site vpn between our business and 3rd party vendor.

I would like to NAT inbound connections from 3rd party vendor to a dedicated pool internally which will be used for VPN only.

How can I implement this on the ASA please ? will i need to nat the source subnet to an ip address from my vpn  pool?

Many Thanks.
Avatar of SIM50
SIM50
Flag of United States of America image

I think you can try something like this:

object network REMOTE_SOURCE
subnet 150.0.0.0 255.255.255.0

object network REMOTE_MAPPED
subnet 192.168.1.0 255.255.255.0

object network LOCAL_NETWORK
subnet 10.0.0.0 255.255.255.0

nat (outside,inside) source static REMOTE_SOURCE REMOTE_MAPPED destination static LOCAL_NETWORK LOCAL_NETWORK
Avatar of MCP200
MCP200

ASKER

Thanks for the reply.


Regarding the below line, will  REMOTE_MAPPED be my vpn pool range, right?

So nat translate will be something like source subnet REMOTE_SOURCE translate to REMOTE_MAPPED which will be  myvpn pool and from my vpnpool allow aces to local network?


object network REMOTE_SOURCE
subnet 150.0.0.0 255.255.255.0

object network REMOTE_MAPPED
subnet 192.168.1.0 255.255.255.0
Regarding the below line, will  REMOTE_MAPPED be my vpn pool range, right?
Yes.
So nat translate will be something like source subnet REMOTE_SOURCE translate to REMOTE_MAPPED which will be  myvpn pool and from my vpnpool allow aces to local network?
Inbound ACL should be for the REMOTE_SOURCE. ASA checks ACL first and then applies NAT.
Reference: https://www.tunnelsup.com/cisco-asa-order-of-operation/
Avatar of MCP200

ASKER

Thanks for that.

Do I need to nat translate my full vpn subnet? Or do I select a specific IP address from the pool to translate for the remote peer? Because as more vendors come onboard I will need to transslate their rfc 1918 address?
Do I need to nat translate my full vpn subnet? Or do I select a specific IP address from the pool to translate for the remote peer? Because as more vendors come onboard I will need to transslate their rfc 1918 address?

It depends. What is the direction of the traffic? If it is one way from them into your network and you won't be initiating any connections, you can overload their whole network into one IP.
Avatar of MCP200

ASKER

Definitely they will be initiating the traffic. We won't be connecting to our supplier.

So in our case the mapped rule remote_mapped will change from 192.168.1.0 255.255.255.0 to 192.168.1.1 255.255.255.0 ?

Thank you
ASKER CERTIFIED SOLUTION
Avatar of SIM50
SIM50
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of MCP200

ASKER

Thanks a lot for the reply.

It makes since to you the above approach. I will give it a go and if I have issues I may come back asking for more help.

I haven't worked with Natting as much and trying to grasp the idea.

Thank u
Avatar of MCP200

ASKER

Thank you A+