ASA 8.3 - NAT Problem - PPPoE Interface killing Entries?

Andreas Rosengart · ‎11-14-2010

Hi @ all,

first of all i have to say i was dissapointed in Cisco changing whole NAT configuration Style radicaly. It took me ages to convert the old statements from my preavious working configuration. Anyway. (maybe its just about my incompetence)

Info:

I have a Cisco ASA 5510 running 8.3(2) which should replace an existing firewall. I did initial configuration with Pre-8.3 Version without the following issue.

Interace Ethernet 0/0 ist connected to a ADSL Modem of the Provider who provides the static IP Adress over pppoe

Interface Ethernet 0/1 is connected with staic IP to a Backup ADSL Router for backup internet access of our internal network

Interface Ethernet 0/2 and 0/3 are conected to the internal switches implemented in a Redundant interface configuration

For Internet Access backup i use the SLA monitor to track the outside getaway of the ISP if this fails 3 times the routes gonna be changed to the ethernet 0/1

PPPoE configuration

vpdn group VTX_ADSL2+ request dialout pppoe
vpdn group VTX_ADSL2+ ppp authentication chap
vpdn group VTX_ADSL2+ localname XXXXXXX

vpdn username XXXXXX password XXXXXX

Interface Ethernet 0/0
ip address pppoe setroute (also tryed ip address XXX.XXX.XXX.XXX 255.255.255.255 pppoe setroute)
pppoe client vpdn group VTX_ADSL2+

SLA configuration:

sla monitor 100
type echo protocol ipIcmpEcho XXX.XXX.XX.52 interface outside
num-packets 3
frequency 10
exit

sla monitor schedule 100 life forever start-time now

track 1 rtr 100 reachability

Route configuration:

route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.52 1 track 1
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.51 1 track 1
route outside_backup 0.0.0.0 0.0.0.0 10.10.5.1 254

NAT configuration:

nat (outside,inside_192.168.1.0_24) 1 source static obj_outside_host_smtp_xxx.xxxxx.xx obj_outside_host_smtp_xxx.xxxxx.xxdestination static interface obj_inside_server_kolab2 service obj_service_smtp obj_service_smtp unidirectional

nat (outside,inside_192.168.1.0_24) 2 source static obj_outside_host_smtp_yyyy.xxxxx.xx obj_outside_host_smtp_yyyy.xxxxx.xx destination static interface obj_inside_server_kolab2 service obj_service_smtp obj_service_smtp unidirectional
nat (outside,inside_192.168.3.0_24) 3 source static any any destination static interface obj_inside_steuerung_camera_mobotix service obj_service_avira_smc_nat obj_service_http unidirectional
nat (outside,inside_192.168.1.0_24) 4 source static any any destination static interface obj_inside_steuerung_netlinx service obj_service_netlinx_studio obj_service_netlinx_studio unidirectional
nat (outside,inside_192.168.1.0_24) 5 source static any any destination static interface obj_inside_server_kolab2 service obj_service_https obj_service_https unidirectional

nat (outside,inside_192.168.1.0_24) 6 source static any any destination static interface obj_inside_server_kolab2 service obj_service_pop3_ssl obj_service_pop3_ssl unidirectional

nat (inside_192.168.1.0_24,outside) 7 source static obj_inside_network_192.168.1.0_24 obj_inside_network_192.168.1.0_24 destination static grp_outside_vpn_networks grp_outside_vpn_networks
nat (any,outside) 8 source dynamic any interface

nat (any,outside_backup) 9 source dynamic any interface

Target of nat is following:

Rule 1: Incoming Traffic to Outside from Source obj_outside_host_smtp_xxx.xxxxx.xx with SMTP should be forwarde to internal Mailserver

Rule 2: Same as Rule 1 just form other source host

Rule 3: Incoming Traffic to Outside from any source adress on port 7000 should be forwardet to internal camera for http accesss

Rule 4: Incoming Traffic to Outside from any source adress on port 1319 should be forwardet to internal netlinxcontroller 1319

Rule 5: Incoming Traffic to Outside from any source adress on port 443 should be forwardet to internal mailserver 443

Rule 6: Incoming Traffic to Outside from any source adress on port 995 should be forwardet to internal mailserver 995

Rule 7: incoming Traffic to Inside interface from internal servernetwork for destination of vpn network pools should remain original

Rule 8: NAT roule for Internetaccess

Rule 9: NAT roule for internet access on backup line

Problem:

All NAT config ist well testet with packet-tracer an working fine. The Problem ist when then Ethernet 0/0 goes down or losses connection to the provieder, and the routes gonna be changed to backup. The NAT is killing itself anyhow.

If i shutdown the ethernet 0/0 interface i have to wait about 5-10 minutes an geting following form console:

(x.x.x.x) ist outside static IP Adress

WARNING: mapped-address XXX.XXX.XXX.XXX/25-0 ovelap with existing static NAT.

ERROR: NAT Policy is not downloaded
ERROR: NAT Policy is not downloaded
ERROR: NAT Policy is not downloaded
ERROR: NAT Policy is not downloaded
ERROR: NAT Policy is not downloaded

after that rule 1 - 5 disapear in the configuration.

I have to delete whole NAT and reconfigure it to make it working again.

Same thing happens if i reboot the ASA.

i spend ages figuring out the Problem but i could not fix it.

I hope you guys can help me. Rollout of the asa should be next weekend. so i am a little bit busy.

EDIT: I also tried to shutdown pppoe on lab. If the interface does not pppoe it just works fine. The ASA seems to have problem with the PPPoE not ready and killing NAT entry witch include the interface statement for outside interface

Andreas Rosengart · ‎11-14-2010

debug nat shows:

nat: next policy seems to be wrong in installing divert elements
nat: next policy seems to be wrong in installing divert elements
nat: next policy seems to be wrong in installing divert elements
nat: next policy seems to be wrong in installing divert elements
nat: next policy seems to be wrong in installing divert elements

praprama · ‎11-18-2010

Also, here is the config guide for that:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1090243

Regards,

prapanch

Btewes001 · ‎02-23-2015

Hi Andreas,

i know, this topic is 4 years old, but i am still facing this issue.

everytime my asa is reconnecting to the provider with pppoe, i loose all NAT config that hast the Outside Interface as a destination IP.

Was there ever a solution for you?

I tried to trick the asa with a Rule made the opposite around, and use "both directions". but than it does not reserv the port for forwarding :/

so nat rule 3 is not working. but looking right in asdm...
Nat rule 4 is working but disappears every night.

nat (inside,outside2) source static sn_VIT_Internal_Network sn_VIT_Internal_Network destination static sn_VIT_Schottweg_Network sn_VIT_Schottweg_Network route-lookup
nat (inside,outside2) source static sn_VIT_Internal_Network sn_VIT_Internal_Network destination static NETWORK_OBJ_192.168.92.108_30 NETWORK_OBJ_192.168.92.108_30 no-proxy-arp route-lookup
nat (inside,outside2) source static ip_VIT_OpenVPN interface service 1194_udp 1194_udp
nat (outside2,inside) source static any any destination static interface ip_VIT_OpenVPN service 1194_udp 1194_udp unidirectional
!
nat (inside,outside2) after-auto source dynamic any interface

VIT-FW01# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside2) source static sn_VIT_Internal_Network sn_VIT_Internal_Network destination static sn_VIT_Schottweg_Network sn_VIT_Schottweg_Network route-lookup
translate_hits = 10318, untranslate_hits = 10339
2 (inside) to (outside2) source static sn_VIT_Internal_Network sn_VIT_Internal_Network destination static NETWORK_OBJ_192.168.92.108_30 NETWORK_OBJ_192.168.92.108_30 no-proxy-arp route-lookup
translate_hits = 866, untranslate_hits = 999
3 (inside) to (outside2) source static ip_VIT_OpenVPN interface service 1194_udp 1194_udp
translate_hits = 0, untranslate_hits = 0
4 (outside2) to (inside) source static any any destination static interface ip_VIT_OpenVPN service 1194_udp 1194_udp unidirectional
translate_hits = 1, untranslate_hits = 12

Manual NAT Policies (Section 3)
1 (inside) to (outside2) source dynamic any interface
translate_hits = 30729, untranslate_hits = 374

Andreas Rosengart · ‎02-25-2015

HI Btewes001

unfortunatley we did not find a solution. Sorry. We discussed with our ISP to give us another contract with PPPoE less authentication so we could make the IP address assignment fix. therefore its not a solution but mora a Workaround.

Seems like this issue is still not adressed with the new ASA software? I no longer work with ASA so i am pretty much no longer in Need for this but hope it may get fixed some day to help other People.

Cheers Andreas

Btewes001 · ‎02-26-2015

Hi,

to bad :/

My problem is, that i can not open a TAC because i dont have a contract with cisco :/

With kind regards,

Bernd

praprama · ‎11-18-2010

Hi Andreas,

I am not sure if you are still facing this issue. Now with your primary link using PPPOE and since you are using the setroute option on it, the configuration for SLA onitoring is slightly different. With the "setroute" keyword added, you can remove the below 2 commands:

route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.52 1 track 1

route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.51 1 track 1

and add the command "pppoe client route track 1" in the eth0/0 configuration mode.

Let me know if this helps.

Regards,

Prapanch

AVSSYSTEME · ‎11-18-2010

Hi Prapanch,

thanks for you reply. There is no problem with the sla. I also tried it your way before with no change of the problem. The route backup works fine.

I allready contacted Cisco TAC. It seems there is a minor problem with this.

I ll keep you guys up to date if they got the reason an the fix for it.

Regards,

Andreas

Panos Kampanakis · ‎11-19-2010

Thank you for keeping the CSC community up to date Lukas. That is the spirit behind it, members collaborate and helping each other in order to reach to the solutions they need.

Rgs,

PK