ASA VTI NAT policy options

Question

I am using a virtual tunnel interface to connect my ASA to a router in order to use BGP between the two.

The inside network on the ASA (10.10.10.0/24) needs to use source NAT to make it appear to the router that 10.10.10.0/24 traffic it is in fact coming from 10.99.99.0/24.

I need to apply this source NAT in such a way that it doesn't compete with the Internet access based PAT translation policy for this same inside network: 10.10.10.0/24.

I could certainly define the source NAT rule to only apply when bound to specific destination networks (towards the router), but is it possible to configure some sort of policy so the ASA to only triggers the source NAT for traffic that needs to go across the VTI?

score 1 · Answer 1 · answered Feb 19 '19 at 13:16

It turns out that the nameif identification of interfaces, which can be used to "name" a VTI cannot be used in NAT statements. So, instead of being able to use source NAT like

nat (inside,outside) source static (real_subnet) (translated subnet)

I have to use twice NAT with any,any statements like this

nat(any,any) source static (real_subnet) (translated subnet) destination static (real_subnet) (translated subnet)

ASA VTI NAT policy options

1 Answers1