<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">If I understand correctly, you’re terminating the tunnel outside of your NAT’d local network and you want to in effect “extend” that
private network out by one hop to reach the router, but only for cases where the traffic is bound for the other side of the tunnel. Is that right?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">If you had a private address space between the ASA and the router you could simply add a “nat (interface) 0” entry (the 0 entry defines
what traffic to NOT translate, a global exclude if you will, but the ACL should contain permit statements) to the ASA that’s tied to an ACL that specifies a source address of your internal subnet and a destination of the subnet at the other end of the tunnel.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">However, from what you described you have an internet routable address on the ASA and so by doing that you would be routing private
address space on the public internet (which, if there’s no other devices between, should technically work as it’ll just hop in to the tunnel and on its way without ever going out in to the big swamp but it’s poor form).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Personally, I’d save myself the pain and move the IPSEC termination to the ASA and just use the aforementioned nat 0 entry to stop
it translating tunnel bound traffic.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Scott<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif""> AusNOG [mailto:ausnog-bounces@lists.ausnog.net]
<b>On Behalf Of </b>Geordie Guy<br>
<b>Sent:</b> Thursday, 1 May 2014 2:59 PM<br>
<b>To:</b> Craig Askings<br>
<b>Cc:</b> <ausnog@lists.ausnog.net><br>
<b>Subject:</b> Re: [AusNOG] Exemption to a NAT rule for a particular destination<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Router does the tunnel and is at the edge, firewall is inside and doing the NAT.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, May 1, 2014 at 2:49 PM, Craig Askings <<a href="mailto:craig@askings.com.au" target="_blank">craig@askings.com.au</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Sorry you have lost me here. Is the ASA doing all the NAT + the ipsec tunnel or is the upstream cisco router doing NAT and the ASA doing the ipsec tunnel?<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On 1 May 2014, at 2:45 pm, Geordie Guy <<a href="mailto:elomis@gmail.com" target="_blank">elomis@gmail.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Sorry guys, it's an ASA 5500 firewall making the decision to NAT, and cutting the upstream Cisco router out of making the decision to forward it into the tunnel. More reading seems to reveal what I want to do is configure a higher priority
NAT rule that NATs traffic to that destination by rewriting the source and destination traffic with the same original info, thereby cutting out the PAT for the public IP. Does this make sense? (it seems to, in a weird way)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, May 1, 2014 at 2:37 PM, Karl Auer <<a href="mailto:kauer@biplane.com.au" target="_blank">kauer@biplane.com.au</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">On Thu, 2014-05-01 at 14:15 +1000, Geordie Guy wrote:<br>
> Is there a way of exempting a particular IP<br>
> address or providing some other criteria for a NAT rule?<o:p></o:p></p>
</div>
<p class="MsoNormal">Almost certainly, but how to do it depends on what system you are using.<br>
Tell us what you are trying to do it *with* and someone who uses that<br>
system will probably be able to help.<br>
<br>
For MikroTik, for example, you add an "accept" rule to the srcnat chain<br>
in "/ip firewall nat", limiting it to specific source or destination<br>
addresses. Make sure such rules are placed before any masquerade actions<br>
involving the same sources or destinations, of course.<br>
<br>
> PS: (*%&*$ing NAT.<br>
<br>
What you said.<br>
<br>
Regards, K.<br>
<span style="color:#888888"><br>
--<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Karl Auer (</span><a href="mailto:kauer@biplane.com.au" target="_blank">kauer@biplane.com.au</a><span style="color:#888888">)<br>
</span><a href="http://www.biplane.com.au/kauer" target="_blank">http://www.biplane.com.au/kauer</a><span style="color:#888888"><br>
</span><a href="http://twitter.com/kauer389" target="_blank">http://twitter.com/kauer389</a><span style="color:#888888"><br>
<br>
GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882<br>
Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<P><FONT size=1 face=Tahoma>
<HR>
</FONT>
<P></P>
<P><FONT face=Tahoma><FONT size=1><FONT color=#ff0000>Attention: </FONT><BR>This
e-mail and any files transmitted with it are privileged, private and
confidential information intended for the use <BR>of the addressee. Neither the
confidentiality of nor any privilege in the e-mail is waived, lost or destroyed
<BR>by the reason that it has been transmitted other than to the addressee. If
you are not the intended recipient <BR>of this e-mail you are hereby notified
that you must not disseminate, copy or take any action in reliance on it. <BR>If
you have received this e-mail in error please notify me immediately
on telephone # +61 7 3624 9100 or by <BR>return e-mail. Please delete the
original e-mail.<BR><BR>This e-mail message has been scanned for Virus and
Content and cleared by <FONT color=#ff8000>MailMarshal</FONT>
</FONT></FONT></P><FONT size=1 face=Tahoma>
<HR>
</FONT>
</body>
</html>