cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
3
Replies

PAT + NAT Exemption with two ISPs and multiple VLANs

Nicola Volpini
Level 1
Level 1

Hi everyone. I am attempting to implement PAT + NAT exemption on our ASA on a setup similar to the one described here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_overview.html#92034

The main difference lies in our setup using two ISPs (active/passive managed via IP SLA) and multiple vlans served by the ASA.

I'm following the example in the Cisco page and have removed some snippets that I don't think are needed (marked with the "!" in the following pasted block):

! Enable hairpin for VPN client traffic:
same-security-traffic permit intra-interface

! NOT NEEDED?
! Identify local VPN network, & perform object interface PAT when going to Internet:
!object network vpn_local
!subnet 10.3.3.0 255.255.255.0
!nat (outside,outside) dynamic interface

! Identify inside Boulder network, & perform object interface PAT when going to Internet:
object network boulder_inside
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface

! Identify inside San Jose network for use in twice NAT rule:
object network sanjose_inside
subnet 10.2.2.0 255.255.255.0

! NOT NEEDED
! Use twice NAT to pass traffic between the Boulder network and the VPN client without
! address translation (identity NAT):
!nat (inside,outside) source static boulder_inside boulder_inside destination static vpn_local vpn_local

! Use twice NAT to pass traffic between the Boulder network and San Jose without
! address translation (identity NAT):
nat (inside,outside) source static boulder_inside boulder_inside destination static sanjose_inside sanjose_inside

! NOT NEEDED
! Use twice NAT to pass traffic between the VPN client and San Jose without
! address translation (identity NAT):
!nat (outside,outside) source static vpn_local vpn_local destination static sanjose_inside sanjose_inside

Now, this setup makes the PAT + NAT exemption work, except all the traffic coming from "inside" cannot reach the additional internal vlans. Also, all the traffic coming from the other side of the tunnel (san jose network) cannot reach the inside vlans anymore (but can reach boulder just fine).

Am I missing something obvious? I'm expecting the nat rules to affect only the "inside" interface, why should everything break?

I am using ASA version 9.1.

Thanks!

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I'm not sure I get your point with your ! marked command.

Could you paste the config you have right now and what you want to achieve?

Anyhow, if you want traffic from different vlans can reach other vlans on the inside side, you will need the command same-security-traffic permit intra-interface

For the other point, I will wait your config to answer.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello!

I commented out those nat rules because my setup does not have a "client vpn" implementation, only "site-2-site".

I managed to succeed in implementing the NAT by using the following rules:

nat (IF-DMZ-SELFSERVICE-TERMINALS,IF-MANAGEMENT) source static OGN-DMZ-SELFSERVICE-TERMINALS-NAT-ISP2 OGN-DMZ-SELFSERVICE-TERMINALS-NAT-ISP2 destination static OGN-LOCAL-LB-OFFERING-STATIC-VIP OGN-LOCAL-LB-OFFERING-STATIC-VIP description *** identity nat to prevent traffic from terminals to LB VIPS from being natted ***
nat (IF-DMZ-SELFSERVICE-TERMINALS,SUBINT-INTERNET-2) source static OGN-DMZ-SELFSERVICE-TERMINALS-NAT-ISP2 OGN-DMZ-SELFSERVICE-TERMINALS-NAT-ISP2 destination static OGN-VPN-CUSTOMER-10-SA-R OGN-VPN-CUSTOMER-10-SA-R description *** identity nat to prevent traffic from terminals to spp from being natted ***
!
object network OGN-DMZ-SELFSERVICE-TERMINALS-NAT-ISP2
nat (IF-DMZ-SELFSERVICE-TERMINALS,SUBINT-INTERNET-2) dynamic interface

Regular object NAT for the PAT, plus two dedicated twice nat rules for nat exemption.

One is for vlan IF-DMZ-SELFSERVICE-TERMINALS when going to the remote network at the other side of the tunnel. The other for vlan IF-DMZ-SELFSERVICE-TERMINALS when going to the vlan IF-MANAGEMENT.

The NAT is doubled for each ISP.


This seem to work ok.

Hi

You said that inside can't talk with other inside vlan. Could you share the config and ACL for that part? Did you do some packet capture on ASA or did you check logging? As I understand ASA is your default gateway. Did you added the same-security command?

For VPN inside to inside, what are your acls? Did you check if packets are coming (through logging and/or packet capture)?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: