Skip to main content

 

 

Cisco Defense Orchestrator

Prevent a Range of IP Addresses from Being Translated When Traversing the Outside Interface

About this NAT Use Case

Use this Twice NAT use case to enable site-to-site VPN.

Strategy

You are translating a pool of IP addresses to itself so that the IP addresses in one location on the network arrives unchanged in another. 

Prerequisites

Create a network object or network group that defines the pool of IP addresses you are going to translate to itself. For the ASA, the range of addresses can be defined by a network object that uses an IP address range, a network object that defines a subnet, or a network group object that includes all the addresses in the range. For the FTD, the range of addresses can be defined by a network object that defines a subnet or a network group object that includes all the addresses in the range. 

When creating the network objects or network groups, for ASAs, use Create or Edit ASA Network Objects and Network Groups, for FTDs, use Create or Edit a Firepower Network Object or Network Group for instructions. 

For the sake of the following procedure, we are going call the network object or network group, Site-to-Site-PC-Pool.

Create a Twice NAT Rule

  1. On the Devices & Services page, select the device you want to create the NAT rule for.
  2. Click NAT in the Management pane at the right.
  3. Click blue_cross_button.png > Twice NAT. 
  4. In section 1, Type, select Static. Click Continue.
  5. In section 2, Interfaces, choose inside for the source interface and outside for the destination interface. Click Continue.
  6. In section 3, Packets, make these changes:
  • Expand the Original Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. 
  • Expand the Translated Address menu, click Choose, and select the Site-to-Site-PC-Pool object you created in the prerequisites section. 
  1. Skip section 4, Advanced.
  2. For Firepower Threat Defense (FTD), in section 5, Name, give the NAT rule a name.
  3. Click Save.
  4. For an ASA, create a crypto map. See CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide and review the chapter on LAN-to-LAN IPsec VPNs for more information on creating a crypto map.
  5. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Entries in the ASA's Saved Configuration File

These are the entries that would appear in an ASA's saved configuration file as a result of these procedures.

Note: This does not apply to FTD devices.

Objects created by this procedure  

object network Site-to-Site-PC-Pool
 range 10.10.2.0 10.10.2.255

NAT rule created by this procedure

nat (inside,outside) source static Site-to-Site-PC-Pool Site-to-Site-PC-Pool