Doing destinat NAT with Cisco ASA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Doing destinat NAT with Cisco ASA

Cyber Elite
Cyber Elite

I need to build tunnel with Cisco ASA.

Seems vendor's interesting subnet 10.2.2.x is part of our LAN.

 

If i config on PA vendor interesting subnet as destination  192.168.1.x and translate to 10.2.2.x in PA is this right way?

 

Mike 

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

Yes, for example do destination translateion 192.168.0.0/24 to 10.2.2.0/24 and you will be talking to 192.168.0.5 which translates to 10.2.2.5 on the other end

Gotchas:
Make sure the subnets match up
Add a route for 192.168.0.0/25 into the tunnel, else you'll spam proxy arp for 192.x.x.x out of every interface
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Hey @MP18,

 

Not sure if I am getting your question correctly, but it seems you are asking how to configure the proxy IDs for the IPsec tunnel, right?

 

Usually you have couple of ways to achieve this. Lets first define the setup with some example addresses:
Site A - behind Palo Alto FW
LAN - 10.3.3.0/24

 

Site B - behind ASA FW
LAN - 10.2.2.0/24 (192.168.1.0/24 for NAT)

So you have to options, depending on where do you want for the NAT to happen:
- Perform the NAT on the Palo Alto. That way you will need to define Proxy IDs as follow: Local - 10.3.3.0/24, Remote - 10.2.2.0/24; static route for 10.2.2.0/24 via tunnel.1; NAT rule to translate original 192.168.1.0/24 to 10.2.2.0/24; Rule to allow from 10.3.3.0/24 to 192.168.1.0/24. The problem with this scenario is that you have to put static route for the 10.2.2.0/24 via the tunnel interface. So the source will still use the NAT and traffic will take the correct path to the VPN tunnel, but if any other traffic passing through the Palo Alto firewall needs to go your local 10.2.2.0/24 (not the tunnel) you will have problems

 

- Perform the NAT on the ASA. This means you need: Proxy ID local 10.3.3.0/24, remote - 192.168.1.0/24; static route for 192.168.1.0/24 via tunnel.1; No NAT on the Palo Alto; Rule to allow 10.3.3.0/24 to 192.168.0/24. On the ASA you have to configure same encryption domain, but then perform NAT to translate 192.168.1.0/24 to 10.2.2.0/24. As you can see in this case on your end the config is straightforward and it is up to the other end to perform the proper NAT.

 

If your local network is completely overlapping with the remote - instead of 10.3.3.0/24 your local is again 10.2.2.0/24, you will need to do twice NAT on both ends.

Cyber Elite
Cyber Elite

hi @MP18 that depends which direction sessions will need to go in,and which subnets need to communicate

 

do you have exactly the same subnet or is 10.2.2.x just part of yours, and will there be connections coming from there or only a different part?

 

you may need to set up source and destination nat on your end so the vendor does not receive connections from his ip range

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Yes we have same subnet 10.2.2.x in our network

so what i can do is have some other subnet as destination in my network and when traffic goes to tunnel do it destination nat to

10.2.2.x which is interstting traffic on vendor side.?

MP

Help the community: Like helpful comments and mark solutions.

Yes, for example do destination translateion 192.168.0.0/24 to 10.2.2.0/24 and you will be talking to 192.168.0.5 which translates to 10.2.2.5 on the other end

Gotchas:
Make sure the subnets match up
Add a route for 192.168.0.0/25 into the tunnel, else you'll spam proxy arp for 192.x.x.x out of every interface
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 4061 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!