Thursday, March 27, 2008

PIX/ASA 7.X: Policy NAT

TOPOLOGY:
10.10.10.10 ---- YourASA ======= RemoteDevice ---- 20.20.20.20

SCENARIO:
- Host 10.10.10.10 is translated to 172.16.0.10 when going to host 20.20.20.20 (VPN traffic)
- Host 10.10.10.10 is translated through NAT/PAT normally elsewhere.

CONFIGURATION:

access-list NONAT permit ip host 172.16.0.10 host 20.20.20.20
access-list VPN10 permit ip host 172.16.0.10 host 20.20.20.20
access-list POLICY_NAT extended permit ip host 10.10.10.10 host 20.20.20.20

static (inside, outside) 172.16.0.10 acl POLICY_NAT
nat (inside) 0 access-list NONAT

nat (inside) 1 0 0
global (outside) 1 in interface
...

! DEFINE PHASE1 / ISAKMP PARAMETERS !
! DEFINE PHASE2 / IPSEC PARAMETERS !
...
crypto map OUTSIDE_MAP 10 match address VPN10
...
crypto map OUTSIDE_MAP interface outside

isakmp enable outside





NOTES:
In the above example, note that the source IP address of the VPN traffic is the translated IP address (172.16.0.10), not the inside/original source address.

The static statement is evaluated first before the crypto match statement. Hence, if the traffic matches acl "POLICY_NAT", the traffic is translated first, before it will be evaluated against the crypto map policy. (See NAT Order of Operation)

Due to the software requirements, this is available only to ASA and PIX capable of supporting 7.x and later.





REFERENCES:
PIX/ASA 7.X: Policy NAT:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml
NAT Order of Operation:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

2 comments:

Anonymous said...

Is there a way to do it with PIX 6.2 ?

Mon said...

Hi Martin,
Sorry for the delay. Unfortunately, no. (We have the same problem in our network here.) This is not supported in any of the PIX 6.X images.

It was only supported in PIX version 7.X and up.