topic Re: NAT excempt for VPN in Network Security

NAT excempt for VPN

salva — Thu, 23 May 2019 20:24:20 GMT

Hello all,

As a network engineer working on a project to deploy and configure a series of ASA 5506-X running 9.9(2) iOS, I have encountered the following important issue:

When I configure a NAT Exempt rule for traffic flowing from one zone to another of the ASA itself, traffic from zone to zone works as expected with no issues.

When I configure a NAT Exempt rule for traffic flowing from one zone of the ASA to a remote network that resides on the other end of an IPSec VPN tunnel, the ASA with no obvious reason unchecks the "NAT Exempt" checkbox option in ASDM and therefore deletes the NAT entry in the Firewall configuration.

If I go configure one NAT rule for each Group's object separately, the issue disappears.

You can easily understand that when the issue occurs the IPSec VPN tunnel goes down or does not work as expected (you can imagine what that means to a production network..)

Is this some kind of bug (in ASDM or iOS versions), does it has to do with the encrypted traffic or is it some kind of security feature on Cisco devices?

Thanks everybody, looking forward to any feedback.

Salvatore Comi

Re: NAT excempt for VPN

Abheesh Kumar — Mon, 27 May 2019 07:03:23 GMT

Hi,

Try to create a nat rule like below and add all your local or remote subnets in the object-group

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet

Hope This Helps

Abheesh

Re: NAT excempt for VPN

salva — Mon, 27 May 2019 19:42:15 GMT

Hi,

This is the way I configure NATs, but I get the same issue.

It is not a configuration problem I suppose..

Thanks

Re: NAT excempt for VPN

Abheesh Kumar — Tue, 28 May 2019 05:37:48 GMT

what is error which you are getting while entering the above command for nat..?

Re: NAT excempt for VPN

salva — Tue, 28 May 2019 09:43:04 GMT

Hi,

I don't get any error when I configure NAT.

But the NAT entries disappear later on. The NAT exempt checkbox gets "unchecked" in ASDM and the NAT statement disappears..

Thanks

Re: NAT excempt for VPN

salva — Tue, 28 May 2019 09:45:40 GMT

More precisely:

When I configure the NAT rule all is ok at first.

Then a few hours later the client calls and says that the VPN does not work as expected.

When I check the configuration, the NAT rule is not there and I have to configure again.

Seems like an iOS bug, but I am not sure..

Re: NAT excempt for VPN

Abhijeet Kumar — Thu, 30 May 2019 14:52:40 GMT

I tried it on mine and it worked fine but I mostly configure it via CLI. Why don't you do this:
- Login to ASA with ASD
- Check "preview commands before sending" from preferences and save
- Create a tunnel and hit apply, at this point you will see all the commands.
- Copy and paste the commands in notepad, remove that group policy thing (It's of no use)
- SSH into the ASA
- Paste all the commands
- write mem
- copy running-config startup-config

Let us know how it goes.

Re: NAT excempt for VPN

salva — Thu, 30 May 2019 18:18:27 GMT

Hello Abhijeet,

I will try this to perform my tests, but if configuring directly through CLI is the only way to make NAT function properly, should I suppose it is an ASDM bug?

Thanks