topic interface GigabitEthernet1/1 in Network Security

ASA to Nexus NAT not working

Epiccloud — Tue, 12 Mar 2019 08:43:45 GMT

Wondering if anyone has run into something like this before.

We have an ASA cluster acting as our network firewall.
We are using the ASA to NAT public IPs 1:1 to two different internal servers.

Most of our servers are attached to a Pair of Cisco Nexus switches running virtual port channel.
Traffic is routed between the ASAs and the Nexus using a /30 subnet and static routes.

Network traffic works, the ASA is able to ping Server 1 and Server 2 and vice versa.
We are seeing the ACL gets hits

NAT rules applying to an interface directly on the ASA to Server 1 work fine.
But identical NAT rules (different IPs) applying to the routed interface to the Nexus and Server 2 don't work and we can't figure out why.

Hi,

Pablo — Wed, 04 Jan 2017 00:16:08 GMT

Hi,

Is this an ASA cluster or a HA failover pair?

Can you ping from the ASA to Server 2?

Are you getting hits on the NAT entry?

Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?

Can you post the sanitize configurations from the ASA and the Nexus?

__ __

Pablo

Is this an ASA cluster or a

Epiccloud — Wed, 04 Jan 2017 15:08:31 GMT

Is this an ASA cluster or a HA failover pair? Yes

Can you ping from the ASA to Server 2? Yes

Are you getting hits on the NAT entry?

3 (BackhaultoMGMTNetworks) to (outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP description NAT rule for Veeam Replication
translate_hits = 13, untranslate_hits = 89459

Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?

Packet tracer shows the packet is allowed

Can you post the sanitize configurations from the ASA and the Nexus?

Yes, give me a bit

interface GigabitEthernet1/1

Epiccloud — Wed, 04 Jan 2017 15:39:22 GMT

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.0

interface GigabitEthernet1/3
nameif BackhaultoMGMTNetworks
security-level 99
ip address 10.254.0.34 255.255.255.248

object network VeeamWANReplicationTarget
host 10.140.50.17

object network VeeamGateway01
host 10.140.50.17

object service VeaamReplication
service tcp destination eq 6180

object-group service VeeamReplicationServices
service-object object VeaamReplication

nat (BackhaultoMGMTNetworks,outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP description NAT rule for Veeam Replication

access-group Outside in interface outside
access-list Outside extended permit object-group VeeamReplicationServices object-group VeeamReplicationSourceIPs object VeeamGateway01

route BackhaultoMGMTNetworks 10.140.0.0 255.255.0.0 10.254.0.33 1

Nexus

vlan 550
name Backup_Network

vrf context Epiccloud_Mgmt
ip route 0.0.0.0/0 10.254.0.2
ip route 10.107.0.0/24 10.254.0.26
ip route 172.16.4.0/24 10.254.0.34
ip route 192.168.4.0/23 10.254.0.26

interface Vlan550
description VLAN550-Backup_Network
no shutdown
mtu 9216
vrf member Epiccloud_Mgmt
no ip redirects
ip address 10.140.50.2/24
vrrp 150
    priority 20
    address 10.140.50.1
    no shutdown

interface Vlan998
no shutdown
vrf member Epiccloud_Mgmt
ip address 10.254.0.35/29
vrrp 253
    priority 20
    address 10.254.0.33
    no shutdown

interface Ethernet1/1
description UCS-FI-01:1/1
switchport mode trunk
switchport trunk allowed vlan 500-505,510-511,520-521,530,540-542,545,550,1003
-1004,1500-1506,1600
spanning-tree port type edge trunk
channel-group 11 mode active

Hi,

Pablo — Wed, 04 Jan 2017 22:47:47 GMT

Hi,

Is this an ASA cluster or a HA failover pair? Yes ** this was an OR question** These are 2 different features.

Configuration looks fine and you also have hits on the NAT rule. Can you get a capture on the internal interface of the ASA and see if you get the return traffic from the server?

It would be a good idea to take an ELAM capture on the Nexus as well.

__ __

Pablo

HA failover pair of 5508's

Epiccloud — Thu, 05 Jan 2017 17:12:03 GMT

HA failover pair of 5508's

I'll get the captures and see what I can see

Turns out the issue was a bad

Epiccloud — Tue, 28 Feb 2017 17:16:43 GMT

Turns out the issue was a bad default gateway on the nexus. We were sending the default traffic to a different set of firewalls (once that we are in the process of decommissioning).

Once we updated the default route to point to the ASAs the problem went away.