Solved: ASA 8.4.(1) Nat rules ignored

joseluis.pedrosa · ‎06-25-2011

Hi all!

I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts

this is the relevant config:

interface Port-channel2.4

description Public TESA ADSL internet connection

vlan 7

nameif PublicTESA

security-level 5

ip address PUBLIC_IP1 255.255.255.128

interface Port-channel2.1

description BT internet connection, used For platforms (VPN)

vlan 4

nameif PublicBT

security-level 5

ip address PUBLIC_IP2 255.255.255.252

interface Port-channel1.1

description Users VLAN

vlan 100

nameif Users

security-level 70

ip address 172.16.30.10 255.255.255.0

object network users-net

subnet 172.16.30.0 255.255.255.0

description users net

object network EXTERNAL_COMPANY_NAME-remote-net-1

host 172.21.250.206

description l2l tunel remote net 1

object network EXTERNAL_COMPANY_NAME-remote-net-2

subnet 172.21.248.0 255.255.255.0

description l2l tunel remote net 2

object-group network EXTERNAL_COMPANY_NAME-Local-networks-group

description EXTERNAL_COMPANY_NAME L2L local networks

network-object object users-net

object-group network EXTERNAL_COMPANY_NAME-remote-nets-group

description EXTERNAL_COMPANY_NAME L2L remote networks

network-object object POLCIA-remote-net-1

network-object object POLICIA-remote-net-2

nat (any,PublicBT) source static EXTERNAL_COMPANY_NAME-Local-networks-group EXTERNAL_COMPANY_NAME-Local-networks-group destination static EXTERNAL_COMPANY_NAME-remote-nets-group EXTERNAL_COMPANY_NAME-remote-nets-group

nat (any,PublicTESA) source dynamic any interface description Nat to internet On PublicTESA interface

RESULT:

If I send a packet from Interface users using 172.16.30.41 to 172.21.250.206, it's sent to PubicTESA doing NAT with

PUBLIC_IP1

Jennifer Halim · ‎06-26-2011

I would recommend that you open a TAC case so it can get properly investigated.

View solution in original post

Jennifer Halim · ‎06-25-2011

Please change the "any" to a specific interface:

nat (Users,PublicBT) source static EXTERNAL_COMPANY_NAME-Local-networks-group EXTERNAL_COMPANY_NAME-Local-networks-group destination static EXTERNAL_COMPANY_NAME-remote-nets-group EXTERNAL_COMPANY_NAME-remote-nets-group

Also, "clear xlate" after the changes.

Lastly, do you have route for 172.21.250.206/32 and 172.21.248.0/24 pointing towards PublicBT interface next hop?

joseluis.pedrosa · ‎06-26-2011

Hi!

Thanks for answering.

1) Yes i had those routes,

2) I can't add users interface, because our local nets are in different interfaces.

3) For testing I did what you said, and didn't worked.

4) I managed to fix it, but i'd say it's a kind of bug, nat matching is awfull. This is what makes it working:

nat (PublicBT,any) source static EXT_CORP-remote-nets-group EXT_CORP-remote-nets-group destination static EXT_CORP-Local-networks-group EXT_CORP-Local-networks-group inactive

These basicly is ... start by the end?

Any kind of explanation that makes me trust this device? kind of erratic behavior.

Jennifer Halim · ‎06-26-2011

I would recommend that you open a TAC case so it can get properly investigated.

joseluis.pedrosa · ‎06-26-2011

What is a TAC? and how do I open it?

FYI:

This FW is new I tried to download firewall updates from cisco download center but says i need a "service contract", I called Cisco spain asking for it and they says it's on guarantee so yes but I have to call my distributor, and my distributor had no clue of what i was talking about.

Is there any place I could enter the serial number and get fw updates (for a period of time) like in juniper?

Jennifer Halim · ‎06-26-2011

TAC is Technical Assistance Center. This is the Support Center, so you can open a TAC case, and an engineer will assist you with further investigation, and/or point you to the right bug/caveats/etc if it matches one, or further work with you until resolution.

To open a TAC case, you would need to purchase a service contract (it's called Smartnet). You would need to purchase this Smartnet contract from your distributor, they should definitely know what you are talking about.

Once you have purchased the Smartnet contract, then you can link your CCO ID (Cisco.com userID) to the contract, and you can download all software from cisco.com download center.

Your distributor should have all this information since they are selling Cisco.

Once you have the contract and CCO ID ready, then you can open TAC case via:

http://www.cisco.com/cisco/web/support/index.html

(in the middle right hand side, there is a section "Contact Support", you can open the case online, via phone or via email).

joseluis.pedrosa · ‎06-26-2011

Hi!

LOL my HW point of sales (or distributor) does NOT have a clue of what that is, and also i'm not getting any sw updates from cisco despite it's on guarantee period (we bought it 3 weeks ago). Cisco software download requieres service contract...

Jennifer Halim · ‎06-26-2011

If they promise you that you can get sw updates from cisco within the guarantee period, then they should be able to download the software and give it to you. They should also have access to download the software.