msgbartop
msgbarbottom

16 Jul 12 Cisco ASA Policy Based Static Source NAT

How to perform Policy Based Static Source NAT for an IPSec VPN between Cisco ASA and IOS Router

Setting up VPN Connectivity between multiple locations is a pretty common task these days. It is a very simple and straight forward setup unless NAT comes into the play, there are multiple offices with overlapping subnets etc. Usually in that scenario solution is simple both sides will perform NAT and present their internal network as something else to the other location in the VPN Tunnel.

Recently I had a unique situation. I was working on a firewall with multiple VPN’s and they pretty much all had a standard setup. There were couple of VPN’s that needed to be setup with a non standard setup because of the overlap in their network. This was the scenario:

  • Subnets on both sites were same i.e; 192.168.1.0/24
  • Site A had Cisco ASA and Site B had Cisco IOS Router
  • Site B was performing a NAT overload and presenting their internal subnet as another IP via the IPSec Tunnel
  • Site B needed to communicate with couple of hosts located at Site A (192.168.1.10 and 192.168.1.11)
  • Since 192.168.1.0/24 network was also being utilized at Site B, hosts at Site B couldn’t see those two hosts at Site A
  • What we needed was a to perform a static policy based source NAT on Cisco ASA so that hosts from Site B, instead of sending traffic to 192.168.1.10 and 192.168.1.11, they send traffic to other IP’s such as 1.1.1.1 and 2.2.2.2
  • Next issue was since there were multiple VPN’s on Cisco ASA and other remote sites were accessing those 192.168.1.11 and 192.168.1.10 hosts, I needed to setup NAT on my end in a way that it will only apply to this one site and not affect other VPN’s
  • Take a look at the picture below to get an idea and after that I will elaborate a bit more how I accomplished it

I’m not going to go deep into setting up the whole VPN on both ends because that is not the topic here. Basically on the Cisco Router at Site B, NAT Overload was utilized for the IPSec VPN and the whole internal network 192.168.1.0/24 was being NATed as 172.16.1.1 to the Cisco ASA at Site A. Now for the interesting traffic on both ends instead of 192.168.1.10 and 192.168.1.11 (1.1.1.1 and 2.2.2.2) was used.

Here are the Cisco ASA steps that I used to perform Policy Based Static Source NAT:

access-list POLICYNAT1 extended permit ip host 192.168.1.10 host 172.16.1.1
access-list POLICYNAT2 extended permit ip host 192.168.1.11 host 172.16.1.1
!
static (inside,outside) 1.1.1.1 access-list POLICYNAT1
static (inside,outside) 2.2.2.2 access-list POLICYNAT2

Don’t forget the crypto map on the Cisco ASA used the reverse of was setup on the Cisco IOS Router at Site B i.e; 1.1.1.1 to 172.16.1.1 and 2.2.2.2 to 172.16.1.1. So this basically allowed 192.168.1.10 and 192.168.1.11 to be translated into 1.1.1.1 and 2.2.2.2 every time source was 192.168.1.10 or 192.168.1.11 and destination was 172.16.1.1 (ONLY). Similarly when the hosts from Site B communicated with 1.1.1.1 or 2.2.2.2 Cisco ASA translated those IP’s to 192.168.1.10 and 192.168.1.11 and then back to 1.1.1.1 and 2.2.2.2. Hope this will help out some one else out there 🙂

Note: This example is for pre 8.3 code. Please keep in mind that this is a reference point only. There are other configuration options available to tweak this according to your needs. Remember to always backup your work before you make any changes, always test configurations in the lab and never do anything that you can not undo 🙂 .

Tags: ,

Reader's Comments

  1. |

    Can you please provide configuration how to perform on cisco ASA 8.3 later.

    Thanks
    Rudresh

  2. |

    I’m sure you probably already figured this out. But if you still need to get this done there is an excellent site that can give you an idea on the conversions.
    http://www.tunnelsup.com/nat-converter/
    Basically you will take the 3 IP’s and create object networks like:
    object network obj-192.168.1.10
    host 192.168.1.10
    !
    object network obj-172.16.1.1
    host 172.16.1.1
    !
    object network obj-1.1.1.1
    host 1.1.1.1
    ### Next create a NAT statement ###
    nat (src-int,dst-int) source static obj-192.168.1.10 obj-1.1.1.1 destination static OBJ-172.16.1.1 OBJ-172.16.1.1
    *** NOTE: I suggest lab it out first and test before putting it in production ***

Leave a Comment

WordPress SEO