How to NAT private IP address within a VPN

Continuing from the little lab I built up in the last post, where I looked at how to get Windows 7 running natively in UNetLab, I now am looking at how we can perform NAT inside of an IPSec tunnel.

I am using the following for this:

2x Windows 7 (Pro), with VLC, Putty, JRE and ASDM installed
2x IOSv Layer 2 switches (running 15.2)
2x ASAv (running 9.4(1))
1x IOSv (running 15.5) – AKA “Internet”.

All of these are within UNetLab, which is, so far, coping nicely with just the 8GB ram that Fusion seems to allow, but I really should put it on my ESXi server. I have seen ways to get around the 8GB limit, but every time I try, Fusion says its unsupported¬†and drops it down to 32Kb. It’s a challenge.

The topology looks like this (note, not everything is started just yet):

Simple NAT lab

The end goal is that we have a VPN between the two ASAs, with HQ performing NAT to mask the traffic inside the VPN tunnel. You may be asking “Why the hell would you ever need to do that?”, and it’s a very good question, really it’s not something you’d have to do often, but there are those times when someone doesn’t like RFC1918 addresses going across a VPN tunnel, or (more commonly) you need to VPN to another site that has overlapping internal subnets.

Basic IP addressing (all /24):

InterfaceIP Address
DMZ-Server10.1.1.10 (default gateway 10.1.1.254)
HQ Gi0/310.1.1.1
HQ Gi0/11.1.1.2
Internet Gi0/01.1.1.1
Internet Gi0/12.2.2.1
Client Gi0/12.2.2.2
Client Gi0/310.200.1.1
Client-PC10.200.1.10 (default gateway 10.200.1.254)

HQ Switch configuration

Very basic, just one VLAN, and a VIF:

Switch#sh vlan | i VLAN0011
11   VLAN0011                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan11                 10.1.1.254      YES manual up                    up      

Switch#

Basic (HQ) ASA setup

Below is enough to get us started, and onto ASDM from our DMZ-Server:

hostname HQ
!
interface GigabitEthernet0/1
 nameif Outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif DMZ
 security-level 50
 ip address 10.1.1.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 10.1.1.0 255.255.255.0 DMZ
!
ssh 1.1.1.1 255.255.255.255 Outside
ssh 10.1.1.0 255.255.255.0 DMZ
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
!
username stuart password p60UDLdMNnbR8IQ. encrypted
!

The set-up for the Client ASA is not much different, and similarly, on the Client switch we have one VLAN (200), and a VIF of 10.200.1.254:

Switch#sh vlan | i VLAN0200  
200  VLAN0200                         active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
Switch#sh ip int bri | e unas
Interface              IP-Address      OK? Method Status                Protocol
Vlan200                10.200.1.254    YES manual up                    up      

Switch#

So far we should be able to ping from our Windows PCs to our ASAs:

NAT lab

Basic Internet access (our first NAT)

On the Internet router, we have a loopback interface with the IP address 8.8.8.8/32. We should be able to give ourselves access to this. It’s working directly from the HQ ASA at the moment:

HQ# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
HQ#

The first NAT rule “connects” the DMZ interface to the Outside interface:

HQ(config)# nat (DMZ,Outside) after-auto source dynamic any interface 
HQ(config)#

If we follow it through, we can see that the rule will be placed last in the NAT rules table (after-auto). We match the DMZ and the Outside interfaces (our source network and the one we want to get to). We set a source of dynamic, meaning we can have more than one host behind this network, and we allow any source using the “any” keyword. Lastly, we nat this through to the interface IP address given to our Outside interface.

I did have to use the command “fixup protocol icmp” in order to get the ping to work. The ASA will convert this into the following command:

HQ(config)# policy-map global_policy
HQ(config-pmap)# class inspection_default
HQ(config-pmap-c)# inspect icmp
HQ(config-pmap-c)#

So now we also have “Internet” access (to a loopback on the Internet router):

pinging

Let’s go ahead and set up the other side, and make sure that they can also ping the “Internet”:

Client# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/30 ms
Client#conf t
Client(config)# policy-map global_policy
Client(config-pmap)# class  inspection_default
Client(config-pmap-c)# inspect icmp
Client(config-pmap-c)# exit
Client(config-pmap)#exit
Client(config)# nat (Inside,Outside) source  dynamic any interf
Client(config)#

Great! Now the client should have access:

more pinging

Now we can begin to create our VPN between the two sides.

Site-to-Site (L2L) IPSec VPN on Cisco ASAs

We start with a couple of network objects, and an access-list:

Client(config)# object network MyInsideNetwork
Client(config-network-object)# subnet 10.200.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# object network TheirRemoteNetwork
Client(config-network-object)# subnet 10.1.1.0 255.255.255.0
Client(config-network-object)# exit
Client(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork

Now we can start to define how we are going to talk to other peers:

Client(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Client(config)#crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
Client(config)# crypto ipsec ikev2 ipsec-proposal AES256
Client(config-ipsec-proposal)# protocol esp encryption aes-256
Client(config-ipsec-proposal)# protocol esp integrity sha-1 md5
Client(config-ipsec-proposal)# exi
Client(config)# crypto ikev2 policy 1 
Client(config-ikev2-policy)# encryption aes-256
Client(config-ikev2-policy)# integrity sha
Client(config-ikev2-policy)# group 2
Client(config-ikev2-policy)# prf sha
Client(config-ikev2-policy)# lifetime seconds 86400
Client(config-ikev2-policy)# exi
Client(config)# crypto ikev1 policy 10
Client(config-ikev1-policy)# authentication pre-share 
Client(config-ikev1-policy)# encryption aes-256 
Client(config-ikev1-policy)# hash sha
Client(config-ikev1-policy)# group 2
Client(config-ikev1-policy)# lifetime 86400
Client(config-ikev1-policy)# exi
Client(config)# crypto ikev2 enable Outside
Client(config)# crypto ikev1 enable Outside
Client(config)#

Then we create the VPN, trying to keep it as generic as possible so that it is nice and easy to paste onto our other ASA:

Client(config)# crypto map Outside_map 1 match address Outside_cryptomap
Client(config)# crypto map Outside_map 1 set peer 1.1.1.2               
Client(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
Client(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
Client(config)# crypto map Outside_map interface Outside               
Client(config)# group-policy MyPeer internal             
Client(config)# group-policy MyPeer attributes 
Client(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
Client(config-group-policy)# tunnel-group 1.1.1.2 type ipsec-l2l   
Client(config)# tunnel-group 1.1.1.2 general-attributes 
Client(config-tunnel-general)# default-group-policy MyPeer
Client(config-tunnel-general)# exi
Client(config)# tunnel-group 1.1.1.2 ipsec-attributes 
Client(config-tunnel-ipsec)# ikev1 pre-shared-key MyKey
Client(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
Client(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
Client(config-tunnel-ipsec)#

Moving on to the other (HQ) ASA, we can (with a minor edit here and there) paste in the same config:

HQ(config)# object network MyInsideNetwork
HQ(config-network-object)# subnet 10.1.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# object network TheirRemoteNetwork
HQ(config-network-object)# subnet 10.200.1.0 255.255.255.0
HQ(config-network-object)# exit
HQ(config)# access-list Outside_cryptomap extended permit ip object MyInsideNetwork object TheirRemoteNetwork
HQ(config)# nat (Inside,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
HQ(config)# crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
HQ(config)# crypto ipsec ikev2 ipsec-proposal AES256
HQ(config-ipsec-proposal)# protocol esp encryption aes-256
HQ(config-ipsec-proposal)# protocol esp integrity sha-1 md5
HQ(config-ipsec-proposal)# exi
HQ(config)# crypto ikev2 policy 1 
HQ(config-ikev2-policy)# encryption aes-256
HQ(config-ikev2-policy)# integrity sha
HQ(config-ikev2-policy)# group 2
HQ(config-ikev2-policy)# prf sha
HQ(config-ikev2-policy)#  lifetime seconds 86400
HQ(config-ikev2-policy)# exi
HQ(config)# crypto ikev1 policy 10
HQ(config-ikev1-policy)# authentication pre-share 
HQ(config-ikev1-policy)# encryption aes-256 
HQ(config-ikev1-policy)# hash sha
HQ(config-ikev1-policy)# group 2
HQ(config-ikev1-policy)# lifetime 86400
HQ(config-ikev1-policy)# exi
HQ(config)# crypto ikev2 enable Outside
HQ(config)# crypto ikev1 enable Outside
HQ(config)# crypto map Outside_map 1 match address Outside_cryptomap
HQ(config)# crypto map Outside_map 1 set peer 2.2.2.2               
HQ(config)# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
HQ(config)# crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
HQ(config)# crypto map Outside_map interface Outside               
HQ(config)# group-policy MyPeer internal             
HQ(config)# group-policy MyPeer attributes 
HQ(config-group-policy)# vpn-tunnel-protocol ikev1 ikev2
HQ(config-group-policy)# tunnel-group 2.2.2.2 type ipsec-l2l   
HQ(config)# tunnel-group 2.2.2.2 general-attributes 
HQ(config-tunnel-general)# default-group-policy MyPeer
HQ(config-tunnel-general)# exi
HQ(config)# tunnel-group 2.2.2.2 ipsec-attributes 
HQ(config-tunnel-ipsec)#  ikev1 pre-shared-key MyKey
HQ(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key MyKey
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
HQ(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key MyKey
HQ(config-tunnel-ipsec)#

And boom! We have a working VPN:

L2L VPN

Traffic works the other way as well.

L2L - the other way

OK, so now that we have a working VPN, let’s see if we can NAT on the HQ side.

NAT and Site-to-Site VPNs

In order that we can hide our 10.1.1.0/24 network behind a new network (192.168.1.0/24), we need to add another network object to HQ, add a NAT rule, an access-list, and finally edit our crypto map to reference the access-list:

HQ(config)# object network YouSeeMeAs
HQ(config-network-object)# subnet 192.168.1.0 255.255.255.0
HQ(config-network-object)# exi
HQ(config)#nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
HQ(config)#access-list Hidden_CryptoMap extended permit ip object YouSeeMeAs object TheirRemoteNetwork
HQ(config)#crypto map Outside_map 1 match address Hidden_CryptoMap

Now we need to change the other side to look towards the 192.168.1.0 traffic (instead of the 10.1.1.0/24 network):

ASA objects

Once we send some traffic between the two sites, our VPN should get established.

interesting traffic

Quite nicely, it’s preserving (or reserving) the final octet for us. However, we are now only good for being called into. Our pings from HQ to the Client fail:

L2L ping fail

OK, so how do we get both sides working, instead of this one-way traffic that we have? Well, let’s try and work out what’s happening.

HQ# sh nat detail 
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 32, untranslate_hits = 32
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 7, untranslate_hits = 7
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ#

This is our NAT table. And here is a very long packet-tracer output:

HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.1 using egress ifc  Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd5403e0, priority=13, domain=permit, deny=false
        hits=48, user_data=0x7fffd8e59d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.1.10/0 to 10.1.1.10/0
 Forward Flow based lookup yields rule:
 in  id=0x7fffce1821f0, priority=6, domain=nat, deny=false
        hits=29, user_data=0x7fffce14e060, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd2d74f0, priority=0, domain=nat-per-session, deny=true
        hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW 
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabbd30, priority=0, domain=inspect-ip-options, deny=true
        hits=522, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcd9ecd50, priority=70, domain=qos-per-class, deny=false
        hits=191, user_data=0x7fffcd9eca20, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 8      
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcda4d390, priority=70, domain=inspect-icmp, deny=false
        hits=44, user_data=0x7fffce13f110, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffcdabb5e0, priority=66, domain=inspect-icmp-error, deny=false
        hits=128, user_data=0x7fffcdabab40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork MyInsideNetwork destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffce182df0, priority=6, domain=nat-reverse, deny=false
        hits=29, user_data=0x7fffce14e160, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.200.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=DMZ, output_ifc=Outside

Phase: 11     
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 376, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ#

In Phase 1 we find out egress interface. ¬†We only have one, so it’s no surprise. In Phase 2 we hit our first NAT rule – out 10.1.1.0/24 to their 10.200.1.0/24.

In Phase 3 we check (and pass) out ACLs, and in Phase 4 we perform NAT, again we hit the first NAT rule, translating our 10.1.1.10/24 client address to itself.

In Phases 5, 6 and 7 we perform per-session NAT, check the IP-Options and any QoS – all of these pass.

Phases 8 and 9 are np-inspects, these pass.

Phase 10 is a RPF (Reverse Path Forwarding) check, and this passed, so then it is on to the final flow-creation.

So all looks good there, we don’t see any failures. However, we can see that the ACL we are hitting is the original one – before we implemented NAT within our VPN tunnel. Therefore the Client ASA will be seeing traffic come over the VPN with an incorrect endpoint address. So let’s just pop over to ASDM (because it’s much easier) and try moving the order of our NAT statements around.

Before:

ASDM NAT statements

After:

ASDM NAT statements after

Now (thankfully), our DMZ-Client PC can access the Guest-PC:

ASDM NAT DMZ

As a final note, let’s have a look at the packet tracer again and see the difference (I have truncated the output this time to make it a bit easier):

HQ# sh nat detail                                                   
Manual NAT Policies (Section 1)
1 (DMZ) to (Outside) source static MyInsideNetwork YouSeeMeAs   destination static TheirRemoteNetwork TheirRemoteNetwork
    translate_hits = 15, untranslate_hits = 15
    Source - Origin: 10.1.1.0/24, Translated: 192.168.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24
2 (DMZ) to (Outside) source static MyInsideNetwork MyInsideNetwork   destination static TheirRemoteNetwork TheirRemoteNetwork no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
    Destination - Origin: 10.200.1.0/24, Translated: 10.200.1.0/24

Manual NAT Policies (Section 3)
1 (DMZ) to (Outside) source dynamic any interface  
    translate_hits = 66, untranslate_hits = 59
    Source - Origin: 0.0.0.0/0, Translated: 1.1.1.2/24
HQ# packet-tracer input DMZ icmp 10.1.1.10 1 7 10.200.1.10 detailed 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.200.1.10/0 to 10.200.1.10/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_in in interface DMZ
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply

Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork
Additional Information:
Static translate 10.1.1.10/0 to 192.168.1.10/0

Phase: 4
Type: NAT     
Subtype: per-session
Result: ALLOW

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW

Phase: 6
Type: QOS
Subtype: 
Result: ALLOW

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
              
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (DMZ,Outside) source static MyInsideNetwork YouSeeMeAs destination static TheirRemoteNetwork TheirRemoteNetwork

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 392, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
              
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

HQ# 

So, here we can see that the order of NAT is extremely important.

Hope you have enjoyed the post!

One Response

  1. Marcus V Morais July 2, 2015

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.