Friday, 12 August 2016

ASA NAT Into VPN Tunnel

This scenario is sometimes needed when connecting via VPN to a 3rd party & a requirement is that IP addressing is unique. In this example a server (192.168.0.10) behind the ASA should be NATed to a public IP address (1.2.3.4) when communicating across the VPN, but PATed to the outside interface when communicating with the Internet. The local network is 192.168.0.0/24 & the remote network 172.16.0.0/24.


interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 100.64.0.1 255.255.255.252
!
object network SERVER-INSIDE
 host 192.168.0.10
!
object network SERVER-NAT-IP
 host 1.2.3.4
!
object network REMOTE-NETWORK
 subnet 172.16.0.0 255.255.255.0
!
access-list VPN-TUNNEL extended permit ip object
SERVER-NAT-IP object REMOTE-NETWORK
!
object network NAT-LAN
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) dynamic interface
!
nat (inside,outside) source static SERVER-INSIDE SERVER-NAT-IP

destination static REMOTE-NETWORK REMOTE-NETWORK
!
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac
crypto map OUTSIDE_MAP 10 match address VPN-TUNNEL
crypto map OUTSIDE_MAP 10 set peer 100.64.1.1
crypto map OUTSIDE_MAP 10 set ikev1 transform-set AES256-SHA
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 100.64.1.1 type ipsec-l2l
tunnel-group 100.64.1.1 ipsec-attributes
 ikev1 pre-shared-key Password123


The key is to use twice NAT so that the 192.168.0.10 address gets NATed only when destined for 172.16.0.0/24. The interesting traffic ACL for the tunnel then covers the 1.2.3.4 public IP address & the VPN will establish with traffic NATed in & out of it. Alternatively if we wanted the 192.168.0.10 address NATed to 1.2.3.4 at all times we could just use object NAT instead:

object network NAT-SERVER
 host 192.168.0.10
 nat (inside,outside) static
SERVER-NAT-IP