Solved: ASA 5510 NAT with IOS 9.1

Richard Tapley · ‎01-07-2015

Hi All,

Hoping someone can clear this up for me.

I am trying to setup a ASA 5510 with IOS 9.1 and having NAT issues.

The ASA is connected inside the LAN to separate a second LAN.

Internal (10.0.0.0/24) --> DG RTR (10.0.0.254) FE0/0--> FE0/1 (61.0.0.1/24) --> ASA outside (61.0.0.2/24) --> ASA Inside (192.168.1.0//24)

I keep getting Asymetric NAT rules matched for forward and reverse path flows when going from Internal to ASA Inside LAN

I fear it is my lack of understanding, when you have a router you can go between different LANs/subnets but with the ASA does it always NAT whatever happens?

If I statically NAT a device on the ASA Inside LAN I can get to the device via the 61.0.0.0 address and if I add what I believe to be an exemption rule to keep the translated packet the same as long as I specify something like Internal LAN to ASA Inside specific device it works but not if I do Internal LAN to ASA Inside LAN.

Hope that makes sense and someone can give me a clue to where I am going wrong with the setup / understanding.

If there are any good docs that might explain it would be appreciated as everything I have read so far has not given me an clarity.

Many thanks

Jouni Forss · ‎01-09-2015

Hi,

Sounds a bit like the Internet edge firewall might be missing a Dynamic PAT rule for the subnet 192.168.1.0/24? Can you confirm that the translation rules apply to this subnet?

If you are not seeing anything blocked its still possible that the NAT is missing on Internet edge firewall.

If I could not touch the edge firewall then a way to go around this problem would be to configure NAT0 from subnet 192.168.1.0/24 to ALL the other internal subnets and then configure a Dynamic PAT.

The NAT0 would make sure that traffic between internal networks (even though separated by firewall) would work as that traffic would go through wihtout NAT being applied. On the other hand traffic destined to any other networks than the internal networks would get matched to the Dynamic PAT. This Dynamic PAT address would then probably have all the required rules on the Internet edge firewall so that people could still access the Internet.

I would suggest checking the Internet edge configurations instead of the above though.

- Jouni

View solution in original post

Jouni Forss · ‎01-08-2015

Hi,

Just to clarify, are we talking about a situation the ASA is simply connected to an internal network (even though it might use public IP addresses)? Also, do you want to perform any NAT on this ASA or is there some separate firewall sitting at the edge of your network handling the external connectivity?

If the above things are true then you could simply leave your ASA NAT configuration totally blank and the ASA would not do any NAT to the traffic. This naturally would require that you make sure that routing for subnet 192.168.1.0/24 is handled on all the routers/devices on the network as this subnet would be directly visible with its original addresses (since we would leave the ASA NAT configuration blank). I manage a couple of environments where the customer has a internal ASA separating certain section of the LAN network and they dont have any NAT configurations.

The problems you mention in the post are probably due to Dynamic PAT configuration which means that your LAN can access the other parts of the Internal network but no connection is possible from the Internal network to this separate LAN behind the ASA. The reason there is that the connection from Internal LAN to the separate LAN wont match any NAT configuration but the return traffic (reverse check that the ASA does) will match the Dynamic PAT and that is why the traffic is dropped.

Static NAT done to the hosts behind the ASA will naturally help since there wont be any problems with the translation in that case in either direction.

You could take a look at a NAT Document I wrote way back in 2013. Though it wont really answer your specific questions here but perhaps it might be of help at some point

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps :)

- Jouni

Richard Tapley · ‎01-08-2015

Hi Jouni,

Thanks for the reply.

Possibly a strange setup but the DG router for the main LAN has another interface in a different network the 61.0.0.0/24 and the ASA is in this network for the outside and then the other side of the ASA is the other network the inside is 192.168.1.0/24.

The traffic I am struggling with is the main network (10.0.0.0/24) to the ASA Inside LAN (192.168.1.0/24). No NAT is required as just access but the firewall is there to restrict the access to only certain permitted devices.

Oh the joy of picking things up from where others left off!

I at a different site at the moment but will take a look later or tomorrow and remove the NAT entries altogether and also take a look at your document.

I for months now i have struggled with NAT and for some reason I just cannot get my head around it!.

Thanks again

Richard Tapley · ‎01-09-2015

hi,

I removed all of the NAT entries and it started working as required, but........ I then had no internet access from those PC's from the ASA Inside (192.168.1.0/24) side of the network.

I am slightly confused as to why as there is a route that should route the traffic back and looking at the ASA connecting the 192.168.1.0 LAN and the ASA that connects to the internet there are no rules that are getting denied, is there something else that I might be missing that is causing the problem?

Jouni Forss · ‎01-09-2015

Hi,

Sounds a bit like the Internet edge firewall might be missing a Dynamic PAT rule for the subnet 192.168.1.0/24? Can you confirm that the translation rules apply to this subnet?

If you are not seeing anything blocked its still possible that the NAT is missing on Internet edge firewall.

If I could not touch the edge firewall then a way to go around this problem would be to configure NAT0 from subnet 192.168.1.0/24 to ALL the other internal subnets and then configure a Dynamic PAT.

The NAT0 would make sure that traffic between internal networks (even though separated by firewall) would work as that traffic would go through wihtout NAT being applied. On the other hand traffic destined to any other networks than the internal networks would get matched to the Dynamic PAT. This Dynamic PAT address would then probably have all the required rules on the Internet edge firewall so that people could still access the Internet.

I would suggest checking the Internet edge configurations instead of the above though.

- Jouni

Richard Tapley · ‎01-09-2015

Hi Jouni,

Huge thank you for your explanations and time.

It is now all working I am very happy to say.

It turns out that without the NAT entries is correct and the edge firewall is configure allowing all any IP on the inside to be NAT'd.

The issue was that I had put in the incorrect next hop IP on the edge firewall to get to the 192.168.1.0 network, silly mistake.

But thanks for the details as they will hopefully help me moving forward and learning more about NAT!

Thanks again.