Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

8.4 NAT behavior

Rolando Valenzuela
Level 4
Level 4

‎05-25-2016 10:11 AM - edited ‎03-12-2019 12:48 AM

Hello community,

Still trying to figure it out the new NAT and today I came up with this real-life scenario and now I have some doubts on how the NAT behaves.

My configuration:

object network LOCAL-wNAT
 host 10.34.30.36
 nat (inside,outside) static 60.60.60.33
!
object-group network VPN-REMOTE-HOST
 network-object host 105.24.80.82
!
! ACL for the "interesting traffic" on a VPN.
!
access-list VPN-ACL line 1 extended permit ip object LOCAL-wNAT object-group VPN-REMOTE-HOST (hitcnt=0) 0x70ebd3e5
  access-list VPN-ACL line 1 extended permit ip host 10.34.30.36 host 105.24.80.82 (hitcnt=0) 0xa61b068a
!
! The error I got.
!
Tunnel rejected: Crypto Map Policy not found for remote traffic selector 105.24.80.82/105.24.80.82/0/65535/0 local traffic selector 60.60.60.33/60.60.60.33/0/65535/0 

So my understanding was that you can reference the object that has the NAT statement configured and the firewall will be able to distinguish if the traffic is sourced to the NATed IP.

From the example above, clearly it cannot :( and to fix it I did this:

object-group network PUBLIC-IP
 network-object host 60.60.60.33

!

access-list VPN-ACL line 2 extended permit ip object-group PUBLIC-IP object-group VPN-REMOTE-HOST (hitcnt=2) 0xe97aff85
  access-list VPN-ACL line 2 extended permit ip host 60.60.60.33 host 105.24.80.82 (hitcnt=2) 0x9ce87183

I would like to avoid having duplicate objects for this type of things, is there a way I can fix it? How should be the correct way to configure this?

Thanks!

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-25-2016 10:43 AM

Hello Rolando,

How are you?

The problem here is with the concept of NAT and VPNs.

In the NAT you setup you are telling the ASA the following:

"NAT the inside host of 10.34.x.x to the public IP of 60.60.x.x whenever you go to the internet"

This will cover all traffic going to the outside interface from that host (including the VPN traffic to the other site).

That's why you need to use the 60.60 address for the Crypto Map because the traffic from the 10.34 will never be seen on the outside as it's getting translated.

Now, how to fix this?

Use NO-NAT for the VPN traffic.

This will still Translate the internal host when going to internet addresses except when going to the other site of the VPN

Fix:

nat (inside,outside) source static LOCAL-wNAT LOCAL-wNAT destination static VPN-REMOTE-HOST VPN-REMOTE-HOST

Note that the other object NAT will still be used and that the crypto ACL will now use the 10.34 address instead of the public.

Julio Carvajal

Senior Network Security and Core Specialist

CCIE #42930, 2xCCNP, JNCIS-SEC

Rate my answers

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Rolando Valenzuela
Level 4
Level 4
In response to Julio Carvajal

‎05-25-2016 01:16 PM

Thanks for the answer Julio,

I dont need a NO-NAT, I actually want the public IP to travel over the VPN tunnel. Do you think that this is accurate? "Interface ACLs will want the real address but the VPN ACL will want the translated address"

I tried with a manual nat, but it didnt worked either :(

object network PRIVATE-IP
 host 10.34.30.36
!
object network PUBLIC-IP
 network-object host 105.24.80.82
!
nat (inside,outside) static source PRIVATE-IP PUBLIC-IP
!
access-list VPN-ACL extended permit ip object PRIVATE-IP object-group VPN-REMOTE-HOST

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card