Friday, 12 August 2016

ASA NAT Into VPN Tunnel

This scenario is sometimes needed when connecting via VPN to a 3rd party & a requirement is that IP addressing is unique. In this example a server ( behind the ASA should be NATed to a public IP address ( when communicating across the VPN, but PATed to the outside interface when communicating with the Internet. The local network is & the remote network

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address
object network SERVER-INSIDE
object network SERVER-NAT-IP
object network REMOTE-NETWORK
access-list VPN-TUNNEL extended permit ip object
object network NAT-LAN
 nat (inside,outside) dynamic interface
nat (inside,outside) source static SERVER-INSIDE SERVER-NAT-IP

crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 10 match address VPN-TUNNEL
crypto map OUTSIDE_MAP 10 set peer
crypto map OUTSIDE_MAP 10 set ikev1 transform-set AES256-SHA
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev1 pre-shared-key Password123

The key is to use twice NAT so that the address gets NATed only when destined for The interesting traffic ACL for the tunnel then covers the public IP address & the VPN will establish with traffic NATed in & out of it. Alternatively if we wanted the address NATed to at all times we could just use object NAT instead:

object network NAT-SERVER
 nat (inside,outside) static