topic Re: Unable to ping Internet from host behind ASA in Network Security

Unable to ping Internet from host behind ASA

mahesh18 — Tue, 12 Mar 2019 03:43:15 GMT

Hi Everyone,

I have config site to site VPN tunnel at home lab.

Setup is below

R1 ----ASA1 ----R2-----R3----ASA2------R4

R5---------------ISP

From R1 i can ping the IP of R5 but not able to ping the internet address.

Seems this is because i have no nat config for traffic between the site to site VPN for inside interface.

My problem is when i config dynamic NAT for inside network subnet of ASA1 --10.0.0.0/24 then i can not ping across the tunnel from R1 to R4.

ASA1 inside network is 10.0.0.0/24

ASA2 inside network 10.2.0.0/24

R1 IP 10.0.0.2

R4 IP 10.2.0.2

Is there any NAT config i can do that allow ping from R1 to internet and also R1 is able to ping R4 IP 10.2.0.2?

Regards

Mahesh

Unable to ping Internet from host behind ASA

Jouni Forss — Sun, 09 Feb 2014 17:54:45 GMT

Hi Mahesh,

For L2L VPN and Client VPN you would typically have a NAT0 configuration at both ASAs that would tell them not to NAT the packets between the LAN networks. You could have the normal Dynamic PAT configuration for any traffic from those networks to the external networks. Since configuring Dynamic PAT for your LAN network causes problems with the L2L VPN connection it means that you have not configured NAT0 proprely or at all.

These would be basic NAT configurations that could be configured on the ASAs if they only have the single LAN network and need NAT0 and Dynamic PAT

ASA1

object-group network LAN

network-object 10.0.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

ASA2

object-group network LAN

network-object 10.2.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

The above configuration would be the only thing needed for NAT0 for the L2L VPN and Dynamic PAT from the network behind the ASA to any external network.

Hope this helps

- Jouni

Unable to ping Internet from host behind ASA

mahesh18 — Sun, 09 Feb 2014 18:49:25 GMT

Hi Jouni,

ASA1 had this NAT for Site to Site VPN

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup

When i added the below NAT so that i can ping the internet

nat (inside,outside) 1 source dynamic NETWORK_OBJ_10.0.0.0_24 interface

After this Ping was not working between host R1 and R4 but was working from R1 to any internet site.

Can you please tell me why ping between VPN hosts was not working?

Is this due to NAT order of operation?

nat (inside,outside) after-auto source dynamic LAN interface

Regards

MAhesh

Re: Unable to ping Internet from host behind ASA

Jouni Forss — Sun, 09 Feb 2014 18:54:43 GMT

Hi,

You didnt have the configuration the way I mentioned it

If you add the Dynamic PAT configuration as Section 1 Manual NAT and also mention the line number "1" then it naturally overrides the NAT0 configuration for the L2L VPN. If you issued "show run nat" you would see that the Dynamic PAT was now before the NAT0.

I originally suggested configuring the Dynamic PAT as Section 3 Manual NAT so it wont interfere with the NAT0 configuration.

So your above Dynamic PAT should be configured as

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_10.0.0.0_24 interface

The key there is that it has the parameter "after-auto" configured there which makes it a Section 3 Manual NAT. The "after-auto" refers to the rule being after the Auto NAT rules which are the NAT configuration that you configure under the "object" and are positioned in the Section 2 Auto NAT.

- Jouni

Unable to ping Internet from host behind ASA

mahesh18 — Sun, 09 Feb 2014 19:06:38 GMT

Hi Jouni,

Sorry for confusion.

Earlier post was what i did yesterday.

I did not make any changes as you said in your first post.

I was curious to know why my Ping did not work.

Now i will do the changes as you said and it should work.

Best Regards

MAhesh