https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4386044#M1080007 <P>Rob. I added two new NAT rules above the inside / outsite one that the Tunnel config had added.</P><P>Both Tom / Outside, first for the AWS traffic and the second for the Internet traffic.</P><P>All is good now, thanks for your input, it helped push me in the right direction</P> Tue, 13 Apr 2021 08:56:22 GMT Richard Tapp 2021-04-13T08:56:22Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320890#M1079955 <P>We currently have a working tunnel from one of our ASA's to AWS. As we can only have single subnets set in the tunnel due to AWS limitations, our NAT statements have quite wide ranging subnets to catch all the possible combinations.</P><P>We have one serer that is required to use the tunnel and now needs internet access.</P><P>This is where the issue comes, as soon as we add a specific static NAT for internet access, the AWS flow stops working.</P><P>So I am looking for a solution that allows for the tunnel to work and for the server to have just TCP/443 to the internet as well.</P> Fri, 09 Apr 2021 08:56:45 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320890#M1079955 Richard Tapp 2021-04-09T08:56:45Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320895#M1079956 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/293247">@Richard Tapp</a>&nbsp;</P> <P>I assume that the rule you add is placed above the NAT exemption rule, so all traffic from that source is natted behind the ASAs interface IP address?</P> <P>What NAT exemption rule do you have in place for AWS and what rule have you added that breaks the access to AWS.</P> <P>Provide the output of "show nat detail".</P> Fri, 09 Apr 2021 09:11:00 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320895#M1079956 Rob Ingram 2021-04-09T09:11:00Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320955#M1079962 <P>&nbsp;</P><P>If I have the Tom-DMZ NAT either before or after the 114 line, then the flow AWS to Tom-DMZ fails.</P><P>But if I have the Tom-DMZ NAT in the server on Tom-DMZ can get to the internet.</P><P>But only 1 ever works at a time</P><P>&nbsp;</P><P>sh nat det | inc 10.0.0.0</P><P>114 (Inside) to (outside) source static NETWORK_OBJ_10.0.0.0_9 NETWORK_OBJ_10.0.0.0_9&nbsp; destination static NETWORK_OBJ_10.x.x.0_21 NETWORK_OBJ_10.x.x.0_21 no-proxy-arp route-lookup</P><P>&nbsp;&nbsp;&nbsp; Source - Origin: 10.0.0.0/9, Translated: 10.0.0.0/9</P><P>&nbsp;</P><P>&nbsp;</P><P># sh nat det | inc Tom-DMZ</P><P>121 (Tom-DMZ) to (outside) source dynamic Tom interface</P> Fri, 09 Apr 2021 12:02:03 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320955#M1079962 Richard Tapp 2021-04-09T12:02:03Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320966#M1079963 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/293247">@Richard Tapp</a>&nbsp;</P> <P>You've got a different source interface in those 2 nat rules.</P> <P>What is the source IP address of the server and which interface is it actually connected to</P> <P>Run packet-tracer from CLI, when each of the NAT rules are configured, upload the output for review.</P> Fri, 09 Apr 2021 12:19:59 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320966#M1079963 Rob Ingram 2021-04-09T12:19:59Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320997#M1079964 <P>you've got a different source interface in those 2 nat rules. The tunnel put the inside to outside one in. All interfaces start with 10.</P><P>&nbsp;</P><P>What is the source IP address of the server and which interface is it actually connected to. This is on the Tom-DMZ 10.75.120.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Tom to AWS Tunnel</P><P>&nbsp;</P><P>&nbsp;</P><P>packet-tracer in Tom-DMZ tcp 10.75.120.xx https 10.150.xx.xx h$</P><P>&nbsp;</P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: Resolve Egress Interface</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop x.x.x.x using egress ifc&nbsp; outside</P><P>&nbsp;</P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group M-ENI-DMZ_access_in in interface Tom-DMZ</P><P>access-list M-ENI-DMZ_access_in extended permit object-group xxx-Standard-Internet-Outbound object xxxxxxx any</P><P>object-group service xxx-Standard-Internet-Outbound</P><P>&nbsp;description: xxx Standard Internet Outbound Ports</P><P>&nbsp;service-object tcp destination eq domain</P><P>&nbsp;service-object tcp destination eq ftp</P><P>&nbsp;service-object tcp destination eq ftp-data</P><P>&nbsp;service-object tcp destination eq www</P><P>&nbsp;service-object tcp destination eq https</P><P>&nbsp;service-object udp destination eq domain</P><P>&nbsp;service-object tcp destination eq ssh</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 3</P><P>Type: NAT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>nat (Tom-DMZ,outside) source dynamic Tom interface</P><P>Additional Information:</P><P>Dynamic translate 10.75.120.xx/443 to xx.xx.xx.xx/48</P><P>&nbsp;</P><P>Phase: 4</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 5</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 6</P><P>Type: FOVER</P><P>Subtype: standby-update</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 7</P><P>Type: FLOW-EXPORT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 8</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: ALLOW</P><P>Config:</P><P>nat (Tom-DMZ,outside) source dynamic Tom interface</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 10</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 11</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 247200484, packet dispatched to next module</P><P>&nbsp;</P><P>Result:</P><P>input-interface: Tom-DMZ</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Tom to Internet</P><P>packet-tracer in Tom-DMZ tcp 10.75.120.xx https 8.8.8.8 https</P><P>&nbsp;</P><P>Phase: 1</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: Resolve Egress Interface</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>found next-hop xx.xx.xx.xx using egress ifc&nbsp; outside</P><P>&nbsp;</P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group M-ENI-DMZ_access_in in interface Tom-DMZ</P><P>access-list M-ENI-DMZ_access_in extended permit object-group xxx-Standard-Internet-Outbound object xxxxxxx any</P><P>object-group service xxx-Standard-Internet-Outbound</P><P>&nbsp;description: ISS Standard Internet Outbound Ports</P><P>&nbsp;service-object tcp destination eq domain</P><P>&nbsp;service-object tcp destination eq ftp</P><P>&nbsp;service-object tcp destination eq ftp-data</P><P>&nbsp;service-object tcp destination eq www</P><P>&nbsp;service-object tcp destination eq https</P><P>&nbsp;service-object udp destination eq domain</P><P>&nbsp;service-object tcp destination eq ssh</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 3</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 4</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 5</P><P>Type: FOVER</P><P>Subtype: standby-update</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 6</P><P>Type: FLOW-EXPORT</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 7</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 8</P><P>Type: IP-OPTIONS</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>&nbsp;</P><P>Phase: 9</P><P>Type: FLOW-CREATION</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>New flow created with id 247169104, packet dispatched to next module</P><P>&nbsp;</P><P>Result:</P><P>input-interface: Tom-DMZ</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: outside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: allow</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 09 Apr 2021 13:26:38 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4320997#M1079964 Richard Tapp 2021-04-09T13:26:38Z https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4386044#M1080007 <P>Rob. I added two new NAT rules above the inside / outsite one that the Tunnel config had added.</P><P>Both Tom / Outside, first for the AWS traffic and the second for the Internet traffic.</P><P>All is good now, thanks for your input, it helped push me in the right direction</P> Tue, 13 Apr 2021 08:56:22 GMT https://community.cisco.com/t5/network-security/nat-and-site-to-site-tunnel-issue/m-p/4386044#M1080007 Richard Tapp 2021-04-13T08:56:22Z