topic Re: NAT with 3 Interfaces in Network Security

NAT with 3 Interfaces

rwoerner1 — Mon, 11 Mar 2019 17:31:17 GMT

I wanted to see if something like this would work.

The existing config works fine and works like so:

access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT

global (local1) 30 10.3.90.55

nat (local) 30 access-list remoteT1_AL

This is across 2 local interfaces, because we have a P2P T1 to a client and they're super strict with the IP range they allow, so I have to NAT everything from local to local1. I just dump the IPs I need into the object groups and I'm good to go.

The problem that has just arisen, is we setup a VPN to a new office on the 'public' interface and the users there need to access this P2P T1 network. I want to try to do something like this (see below) and just dump those VPN IPs into the object groups. It didn't work needless to say. Problem is that I have them nat exempt for the VPN, but I obviously need to nat them for this connection. Also, I'm not sure if there is something inherent on the public interface that would make this infeasible to work. If anyone has any insight it would be much appreciated. Thanks in advance!

global (local1) 30 10.3.90.55

nat (local) 30 access-list remoteT1_AL

nat (public) 30 access-list remoteT1_AL

-Rus

PS: Device is ASA 5510 w/ 8.2(1)11.

Re: NAT with 3 Interfaces

Federico Coto Fajardo — Fri, 09 Apr 2010 19:54:12 GMT

Hi,

It should work.

Does the public and local1 interfaces have the same security level, because if so, you should manually allow the communication with the same security permit inter-interface command.

When a VPN client tries to access the network on local1, do you see a translation being build?

This will show us if the VPN client terminates on the Firewall, and then gets NATed to the local1 interface.

Federico.

Re: NAT with 3 Interfaces

rwoerner1 — Mon, 12 Apr 2010 12:47:52 GMT

Federico,

Thanks for the reply. The public interface is 0, and both locals are 100. I logged the traffic and there is no NAT being applied. The repeating error is "asymmetric NAT rules mismatched for forward and reverse". Do you think that would have to do with the order the rules are being applied?

-Rus

Re: NAT with 3 Interfaces

Federico Coto Fajardo — Mon, 12 Apr 2010 12:52:52 GMT

You will not be able to pass traffic between two interfaces with the same security level unless you have the following command configured:

same security permit inter-interface

Check it out with: sh run same

Federico.

Re: NAT with 3 Interfaces

Jennifer Halim — Mon, 12 Apr 2010 12:58:20 GMT

It is not recommended to apply the same access-list "remoteT1_AL" on 2 different NAT statements as follows:

nat (local) 30 access-list remoteT1_AL

nat (public) 30 access-list remoteT1_AL

Configure a different ACL for "nat (public) 30". I assume that "public" interface has security level 0, and that is the VPN termination interface?

If that is the case, you would need to configure the following instead:

access-list remoteT1-VPN permit ip

nat (public) 30 access-list remoteT1-VPN outside

Remember to "clear xlate" after making all the changes.

Re: NAT with 3 Interfaces

rwoerner1 — Mon, 12 Apr 2010 13:06:32 GMT

Thanks, I checked it out and that command was in place. I'm able to pass traffic between the 2 local interfaces (same sec level), its just one the remote VPN network tries to nat across to the destination. I think the problem I'm running into is the order the NATs are being applied. I'm just not sure of the direction to head in.

-Rus

Re: NAT with 3 Interfaces

rwoerner1 — Mon, 12 Apr 2010 13:28:30 GMT

There is all ready a ACL doing this for the VPN so that it is tunneled. Also, I didn't really specifiy (my mistake) but it is a L2L VPN. Is it getting angry because I have the ACLs matching the cryptomap, and then the ACL trying to apply this NAT?

Re: NAT with 3 Interfaces

Jennifer Halim — Mon, 12 Apr 2010 13:40:53 GMT

Do you have the "outside" keyword on the NAT statement on the public interface?

nat (public) 30 access-list remoteT1-VPN outside

Re: NAT with 3 Interfaces

rwoerner1 — Mon, 12 Apr 2010 18:03:13 GMT

I didn't have the 'outside' keyword on the interface. I added it in but it didn't change the outcome, even after clearing xlate. I ran the packet tracer but that didn't tell me very much. Since this is a VPN connection, would the remote internal IPs be considered public? Or would they be local since its an established VPN?

Re: NAT with 3 Interfaces

Jennifer Halim — Tue, 13 Apr 2010 10:54:30 GMT

Sorry, don't quite understand your question.

Please post config, and what you are trying to achieve.

Re: NAT with 3 Interfaces

rwoerner1 — Tue, 13 Apr 2010 11:29:28 GMT

Here is the relevant config I think:

2.2.2.0/24 is our local network for int local

object-group network remoteT1_NAT_local
network-object 1.1.1.0 255.255.255.0

access-list nonat extended permit ip 1.1.1.0 255.255.252.0 2.2.2.0 255.255.255.0
access-list public_cryptomap_1090 extended permit ip 1.1.1.1 255.255.252.0 2.2.2.0 255.255.255.0
access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT
access-list remoteT1_AL_VPN extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT

global (public) 10 interface
global (local1) 30 10.3.90.55
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0

crypto map public_map 1090 match address public_cryptomap_1090

If nothing stands out there is no need to worry, I'll start trying to figure out a different path. Thanks a ton for your help.

Re: NAT with 3 Interfaces

Kureli Sankar — Tue, 13 Apr 2010 11:37:16 GMT

We just need to see what the logs show when the flow breaks.

Post syslogs in debug level.

conf t

logging on

logging buffered debug

exit

sh logg | i x.x.x.x

-KS

Re: NAT with 3 Interfaces

Jennifer Halim — Tue, 13 Apr 2010 11:49:51 GMT

Sorry, it looks all wrong. Nothing matches correctly, and still not too sure what you are trying to achieve.

What I understand is VPN traffic terminate on "public" interface (security level 0), and you would like to NAT the VPN remote LAN to 10.3.90.55 when going towards "local1" interface (security level 100). Is this correct?

Please include the remote LAN subnet, local1 subnet, and the crypto ACL. Also, where is your nonat ACL applied? Please also share output of the following:

sh run nat

sh run global

and any access-list associated with the nat statement.

Re: NAT with 3 Interfaces

rwoerner1 — Tue, 13 Apr 2010 14:57:38 GMT

I'm trying to achive what you specified. Right now I NAT to the local1 subnet from the local subnet, but I also need to be able to NAT from the local IPs of the remote VPN network across the IPSec VPN tunnel to the local1

Log output:

5|Apr 13 2010|09:58:22|305013|10.20.2.29||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src public:remoteVPNnetwork dst local1e:remoteT1network (type 8, code 0) denied due to NAT reverse path failure

local & local 1 are sec level 100

public is 0

same-security-traffic permit inter-interface

Crypto ACL:

access-list public_cryptomap_1090 extended permit ip 1.1.1.1 255.255.252.0 2.2.2.0 255.255.255.0

Crypto ACL applied:

crypto map public_map 1090 match address public_cryptomap_1090

sh run nat

nat (local) 0 access-list nonat
nat (local) 40 access-list CHS_AL
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0
nat (public) 0 access-list public_nat0_inbound outside
nat (public) 5 access-list public_pnat_inbound_V1 outside

global:

global (public) 40 192.168.11.25-192.168.11.28 netmask 255.255.255.0
global (public) 10 interface
global (local1) 30 10.3.90.55

Also, I was using icmp just for logging purposes, but regular tcp traffic has the same effect.

Re: NAT with 3 Interfaces

Jennifer Halim — Wed, 14 Apr 2010 13:06:44 GMT

OK, you haven't included all the access-list which are associated with the NAT statement. It's difficult to help if you don't provide the whole picture.

This statement:

nat (public) 0 access-list public_nat0_inbound outside

will take precedence over:

nat (public) 30 access-list remoteT1_AL_VPN outside

NAT exemption with ACL will take priority therefore, your "nat (public) 30" will never get invoke if the access-list overlaps.

Further to that, you don't have NAT exemption on local1 interface.

Please share the whole config, OR/ provide output of the following:

show run interface

show run route

show access-list

And please confirm, the traffic flow is from "public" interface towards "local1" interface?

Re: NAT with 3 Interfaces

rwoerner1 — Fri, 16 Apr 2010 14:33:40 GMT

I apologize, the reason why I didn't was because there aren't any ACLs pertaining to the nat (public) 0 and a few others. Someone else threw them on the config for no reason I suppose? I dropped that statement and a few others.

interface Ethernet0/0
nameif local
security-level 100
ip address w.w.w.w 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif public
security-level 0
ip address x.x.x.x 255.255.255.224 standby x.x.x.x
ospf cost 10
!
interface Ethernet0/2
nameif local1
security-level 100
ip address y.y.y.31 255.255.255.0
ospf authentication-key password
ospf authentication null
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

route public 0.0.0.0 0.0.0.0 x.x.x.x 1
route local1 10.2.1.89 255.255.255.255 y.y.y.1

(there are a few other routes pointing to the remote T1 network but they're all the same syntax & gateway)

For the ACLs, there are about 800 so I'm going to go ahead and leave those out. Everything pertinent has been provided.

On a side note, I was going through the config line by line (I didn't set up this device so I don't know everything that was added) but I found the nat control statement. I'm not sure if this would affect going from a 0 int to a 100 int. I didn't quite understand the relevance. Could that be the problem? Thanks again.

Re: NAT with 3 Interfaces

Jennifer Halim — Fri, 16 Apr 2010 14:40:40 GMT

Sorry, but x.x.x.x, y.y.y.y does not help when we are trying to match the subnet through the NAT statement.

Also, please send through the following:

show run nat

show run global

show run static

And from the above "sh run nat" output, please share the access-list entries that you can see on the NAT entries.

If you can't provide any configuration details on the forum, you should just open a TAC case.

Re: NAT with 3 Interfaces

rwoerner1 — Fri, 16 Apr 2010 15:41:11 GMT

object-group network INT_CHS
network-object 172.28.26.0 255.255.255.0

object-group network INT_NAT
description local IP group for INT NAT
network-object host 10.10.53.77

object-group network remotet1_NAT_local
description local hosts for remote T1 network NAT
network-object 172.28.26.0 255.255.255.0 (local interface subnet)

network-object 10.120.1.0 255.255.255.0 (remote VPN internal network)

object-group network remotet1_NAT
description local IP group for remote hosts NAT
network-object host 10.20.1.57
network-object host 10.20.1.85
network-object host 10.20.1.86
network-object host 10.20.2.40
network-object host 10.20.4.28
network-object host 10.2.1.89
network-object host 10.20.2.29
network-object host 10.20.2.30

crypto map public_map 1090 match address public_cryptomap_1090
crypto map public_map 1090 set peer 123.1.10.15
crypto map public_map 1090 set transform-set ESP-3DES-MD5
crypto map public_map 1090 set security-association lifetime seconds 86400

tunnel-group 123.1.10.15 type ipsec-l2l
tunnel-group 123.1.10.15 ipsec-attributes
pre-shared-key xxxxx

access-list public_cryptomap_1090 extended permit ip 172.28.26.0 255.255.255.0 10.121.1.0 255.255.255.0

access-list public_cryptomap_1090 extended permit ip host 10.20.1.57 10.121.1.0 255.255.255.0 (one of these for each host in the object group)

access-list nonat extended permit ip 172.28.26.0 255.255.255.0 10.121.0.0 255.255.255.0

access-list remoteT1_AL extended permit ip object-group remotet1_NAT_local object-group remotet1_NAT

access-list CHS_AL extended permit ip object-group INT_CHS object-group INT_NAT

nat (local) 0 access-list nonat
nat (local) 40 access-list CHS_AL
nat (local) 30 access-list remoteT1_AL

nat (local) 10 0.0.0.0 0.0.0.0
nat (public) 50 access-list remoteT1_AL outside

global (public) 40 192.168.11.25-192.168.11.28 netmask 255.255.255.0
global (public) 10 interface
global (local1) 30 10.1.90.55
global (local1) 50 10.1.90.159

no static nats

Re: NAT with 3 Interfaces

Jennifer Halim — Sat, 17 Apr 2010 10:19:14 GMT

Crypto ACL does not seem to match with the NATing that you have configured. Further to that, you also need to have NAT exemption for local1 interface which has not been configured.

You mention that 10.120.1.0 255.255.255.0 is the remote VPN internal network, but your crypto ACL has 10.121.1.0 255.255.255.0 as the destination. I assume the vpn tunnel is not even up yet at this stage?

Also I assume that object-group "remotet1_NAT" is routed towards local1 interface, right?

OK, let me assume this then:

Remote VPN peer LAN - 10.120.1.0/24

You would like to NAT traffic from the remote VPN LAN (10.120.1.0/24) towards local1 (object-group remote1_NAT) subnets to 10.1.90.159

So firstly: configure the NATing first:

access-list local1-nonat permit ip object-group remote1_NAT host 10.1.90.31

nat (local1) 0 access-list local1-nonat

I would leave the following in the configuration:

nat (public) 50 access-list remoteT1_AL outside

global (local1) 50 10.1.90.159

Secondly: configure the correct crypto ACL (and the peer VPN gateway needs to be configured with mirror image ACL😞

access-list public_cryptomap_1090 extended permit ip 10.20.1.0 255.255.255.0 10.120.1.0 255.255.255.0

access-list public_cryptomap_1090 extended permit ip 10.20.2.0 255.255.255.0 10.120.1.0 255.255.255.0

access-list public_cryptomap_1090 extended permit ip 10.20.4.0 255.255.255.0 10.120.1.0 255.255.255.0

access-list public_cryptomap_1090 extended permit ip 10.2.1.0 255.255.255.0 10.120.1.0 255.255.255.0

Hope I haven't confused you.

Re: NAT with 3 Interfaces

rwoerner1 — Tue, 20 Apr 2010 11:53:10 GMT

Thanks for the reply, they Crypto ACL doesn't match completely, because the remote VPN needs to access items on the local int as well as off of the local1 int. As far as leaving the additional hosts out I just figured it would be redundant to have 10 almost identical ACLs, sorry.

The tunnel itself is and has been working fine to the local, we have about 25 other VPN using the same ordered ACLs.

I made the changes, I'm just waiting to hear back from the guy at the other site. I'll let you know. Thanks again.