• Advertisement

Bi-Directional Policy NAT

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 3:46 pm

Is a policy-based bi-directional NATs possible? I can find plenty of examples to handle a single bi-directional NAT but the Cisco documentation Ive read states that policy-based translates local addresses  only. However, Ive read conflicting documentation from Cisco where it says any NAT besides NAT exemption can be configured for policy NAT. Ive spent numerous hours researching a configuration that could handle this but have come up empty. I would imagine Im not the first person to run into this, Ciscos documentation is just unclear to me.

 

Site A will terminate L2L VPNs from Site B and Site C to an ASA 5520. Site A has no administrative control over B or C. Site B and C are choosing to expose their same overlapping private address space.

 

Im no expert but forced into this by the unexpected exit of our Network Engineer. Can anyone provide assistance?

 

I know that I need to:

1. specify the address to be translated

2. specificy the inside global to translate to

 

I believe I accomplish this with:

  • static (outside, inside) 172.17.1.1 10.128.0.0 netmask 255.128.0.0
  • access-list 101 permit ip 10.128.0.0 255.128.0.0
  • access-group 101 inside interface outside

 

I believe Ill need to create route statements for this as well:

  • route outside 10.128.0.0 255.128.0.0 12.126.x.x

 

This satifies one VPN, but what about the Site C? Can I use policy NAT to map that customers 10.128.0.0/9 to say 172.17.2.2? I know the address space Im mapping to doesn handle the /9 being exposed to me, but Ill never exceed the range Im mapping it to. Once I know exactly how many IPs will be coming over the VPN, I will actually create a 1:1 translation as governed by our security policy.

 

I hope Im on the right track here and have explained this in manner that isn too confusing. Any help? Im not even sure if a policy-based bi-directional NAT is possible based on the Cisco documentation Ive read. Help!

 

 

                                                  ------------- (12.126.x.x) Site B (10.128.0.0/9)

Site A ------------ WWW Cloud

(ASA 5520)                                     --------------(209.128.y.y) Site C (10.128.0.0/9)

 

 

Guest
 

Advertisement

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 5:04 pm

Hi,

 

What you do is Policy NAT on the remote sites:

 

Site B:
access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site A
static (in,out) 1.0.0.0 access-list PolicyNAT
access-list VPN permit ip 1.0.0.0 255.128.0.0 Site A

 

Site C:
access-list PolicyNAT permit ip 10.128.0.0 255.128.0.0 Site A
static (in,out) 2.0.0.0 access-list PolicyNAT
access-list VPN permit ip 2.0.0.0 255.128.0.0 Site A

 

In Site B, we are translating network 10.128.0.0/9 to 1.0.0.0/9 when going to Site A
In Site C, we are translating network 10.128.0.0/9 to 2.0.0.0/9 when going to Site B
In both sites, the VPN traffic is from the translated network to Site A

In Site A, you must send the VPN traffic to 1.0.0.0/9 and 2.0.0.0/9 when trying to reach Site B and Site C
respectively.

 

Hope this helps, let me know.

 

Federico.

Guest
 

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 6:39 pm

I appreciate the response, but if it was the easy, I wouldn be in the support forum . I have no administrative control over Site B or C. Policy NAT could only be accomplished at Site A where I have administrative control.

Guest
 

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 7:38 pm

I guess it I should also note that Site B and C have no interest in passing traffic between each other. They only care with talking to the hub.

Guest
 

Re:Bi-Directional Policy NAT

Postby Guest » Wed Dec 08, 2010 9:17 pm

If you only have control over Site A, then as you said you can do Policy NAT on Site A.

It will be inbound Policy NAT, so that you translate Site B and Site C to a different IP when entering Site A network.

 

Instead of NATing the traffic on Site B and Site C, you NAT the traffic when entering inbound on Site A.

 

Federico.

Guest
 

Next


  • Advertisement


Similar topics


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 2 guests

cron