topic Re: Doing destinat NAT with Cisco ASA in General Topics

Doing destinat NAT with Cisco ASA

MP18 — Tue, 22 Jan 2019 03:15:03 GMT

I need to build tunnel with Cisco ASA.

Seems vendor's interesting subnet 10.2.2.x is part of our LAN.

If i config on PA vendor interesting subnet as destination 192.168.1.x and translate to 10.2.2.x in PA is this right way?

Mike

Re: Doing destinat NAT with Cisco ASA

aleksandar.astardzhiev — Tue, 22 Jan 2019 15:00:17 GMT

Hey @MP18,

Not sure if I am getting your question correctly, but it seems you are asking how to configure the proxy IDs for the IPsec tunnel, right?

Usually you have couple of ways to achieve this. Lets first define the setup with some example addresses:
Site A - behind Palo Alto FW
LAN - 10.3.3.0/24

Site B - behind ASA FW
LAN - 10.2.2.0/24 (192.168.1.0/24 for NAT)

So you have to options, depending on where do you want for the NAT to happen:
- Perform the NAT on the Palo Alto. That way you will need to define Proxy IDs as follow: Local - 10.3.3.0/24, Remote - 10.2.2.0/24; static route for 10.2.2.0/24 via tunnel.1; NAT rule to translate original 192.168.1.0/24 to 10.2.2.0/24; Rule to allow from 10.3.3.0/24 to 192.168.1.0/24. The problem with this scenario is that you have to put static route for the 10.2.2.0/24 via the tunnel interface. So the source will still use the NAT and traffic will take the correct path to the VPN tunnel, but if any other traffic passing through the Palo Alto firewall needs to go your local 10.2.2.0/24 (not the tunnel) you will have problems

- Perform the NAT on the ASA. This means you need: Proxy ID local 10.3.3.0/24, remote - 192.168.1.0/24; static route for 192.168.1.0/24 via tunnel.1; No NAT on the Palo Alto; Rule to allow 10.3.3.0/24 to 192.168.0/24. On the ASA you have to configure same encryption domain, but then perform NAT to translate 192.168.1.0/24 to 10.2.2.0/24. As you can see in this case on your end the config is straightforward and it is up to the other end to perform the proper NAT.

If your local network is completely overlapping with the remote - instead of 10.3.3.0/24 your local is again 10.2.2.0/24, you will need to do twice NAT on both ends.

Re: Doing destinat NAT with Cisco ASA

reaper — Wed, 23 Jan 2019 15:34:52 GMT

hi @MP18 that depends which direction sessions will need to go in,and which subnets need to communicate

do you have exactly the same subnet or is 10.2.2.x just part of yours, and will there be connections coming from there or only a different part?

you may need to set up source and destination nat on your end so the vendor does not receive connections from his ip range

Re: Doing destinat NAT with Cisco ASA

MP18 — Wed, 23 Jan 2019 16:18:16 GMT

Yes we have same subnet 10.2.2.x in our network

so what i can do is have some other subnet as destination in my network and when traffic goes to tunnel do it destination nat to

10.2.2.x which is interstting traffic on vendor side.?

Re: Doing destinat NAT with Cisco ASA

reaper — Wed, 23 Jan 2019 17:27:45 GMT

Yes, for example do destination translateion 192.168.0.0/24 to 10.2.2.0/24 and you will be talking to 192.168.0.5 which translates to 10.2.2.5 on the other end

Gotchas:
Make sure the subnets match up
Add a route for 192.168.0.0/25 into the tunnel, else you'll spam proxy arp for 192.x.x.x out of every interface