Policy NAT for L2L VPN

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.
Guest

Re:Policy NAT for L2L VPN

Post by Guest » Thu Jan 18, 2007 9:00 am


Patrick Here is the order of operations for NAT on the firewall: 1. nat 0 access-list (nat-exempt) 2. Match existing xlates 3. Match static commands a. Static NAT with and without access-list b. Static PAT with and without access-list 4. Match nat commands a. nat [id] access-list (first match) b. nat [id] [address] [mask] (best match) i. If the ID is 0, create an identity xlate ii. Use global pool for dynamic NAT iii. Use global pool for dynamic PAT So you could try 1) a static NAT with an access-list which will take precendence over a dynamic NAT statement2) As you can see from 4a it uses first match with NAT and access-list so in theory swapping them around should do the trick. Can i think of any negative consequences ? - well yes you could lose all connectivity. I don't think this will happen but i can't promise so you absolutely would want to do this out of hours.Jon

Guest

Re:Policy NAT for L2L VPN

Post by Guest » Thu Jan 18, 2007 9:21 am


Jon - I tried #1, but I received an error:access-list NAT1 permit ip 192.168.0.0 255.255.0.0 10.2.0.0 255.255.0.0static (inside,outside) 172.20.n.1 access-list NAT1global address overlaps with maskI am unable to figure out what the error message means....I had also tried #1 using a NAT with the object-groups, but that failed too, although with a different error message.Using a static NAT config would be my preferred solution.Thanks for your time.  Patrick

Guest

Re:Policy NAT for L2L VPN

Post by Guest » Thu Jan 18, 2007 10:18 am


Patrick Can you send me your config minus any senstive info as i have access to our work lab now. I will run a few quick tests. Jon

Guest

Re:Policy NAT for L2L VPN

Post by Guest » Thu Jan 18, 2007 10:27 am


PatrickApologies, there were a few typo's in previous post. Have amended them but please check on web site rather than reading from your e-mail.Jon

Guest

Re:Policy NAT for L2L VPN

Post by Guest » Thu Jan 18, 2007 11:32 am


PatrickI kind of missed the wood for the trees here. The static policy NAT is failing because you are trying to map a network 192.168.0.0 to a single IP address 172.20.n.1. However it's just occured, why are you doing policy NAT for the Internet. I tested in lab and if you do this nat (INSIDE) 1 192.168.0.0 255.255.0.0global (OUTSIDE) 1 interface access-list NAT-LIST permit ip 192.168.0.0 255.255.0.0 10.2.x.x 255.255.255.0 nat (INSIDE) 2 access-list NAT-LISTglobal (OUTSIDE) 1 172.20.n.1 ie. only do policy NAT for VPN traffic. This works as expected in my lab. Is there a reason why you need policy NAT for general Internet access ? Jon

Post Reply