cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
5
Helpful
6
Replies

ASA to Nexus NAT not working

Epiccloud
Level 1
Level 1

Wondering if anyone has run into something like this before.

We have an ASA cluster acting as our network firewall.
We are using the ASA to NAT public IPs 1:1 to two different internal servers.

Most of our servers are attached to a Pair of Cisco Nexus switches running virtual port channel.
Traffic is routed between the ASAs and the Nexus using a /30 subnet and static routes.

Network traffic works, the ASA is able to ping Server 1 and Server 2 and vice versa.
We are seeing the ACL gets hits

NAT rules applying to an interface directly on the ASA to Server 1 work fine.
But identical NAT rules (different IPs) applying to the routed interface to the Nexus and Server 2 don't work and we can't figure out why.

1 Accepted Solution

Accepted Solutions

Hi,

Is this an ASA cluster or a HA failover pair?   Yes ** this was an OR question** These are 2 different features.

Configuration looks fine and you also have hits on the NAT rule. Can you get a capture on the internal interface of the ASA and see if you get the return traffic from the server?

It would be a good idea to take an ELAM capture on the Nexus as well.

__ __

Pablo

View solution in original post

6 Replies 6

Pablo
Cisco Employee
Cisco Employee

Hi,

Is this an ASA cluster or a HA failover pair?

Can you ping from the ASA to Server 2?

Are you getting hits on the NAT entry?

Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?

Can you post the sanitize configurations from the ASA and the Nexus?

__ __

Pablo

Is this an ASA cluster or a HA failover pair?   Yes

Can you ping from the ASA to Server 2?   Yes

Are you getting hits on the NAT entry?

3 (BackhaultoMGMTNetworks) to (outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP  description NAT rule for Veeam Replication
    translate_hits = 13, untranslate_hits = 89459

Did you run a packet tracer on the ASA to see if the traffic is being allowed? If not, what was the drop code?

Packet tracer shows the packet is allowed

Can you post the sanitize configurations from the ASA and the Nexus?

Yes, give me a bit

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.0

interface GigabitEthernet1/3
 nameif BackhaultoMGMTNetworks
 security-level 99
 ip address 10.254.0.34 255.255.255.248

object network VeeamWANReplicationTarget
 host 10.140.50.17

object network VeeamGateway01
 host 10.140.50.17

object service VeaamReplication
 service tcp destination eq 6180

object-group service VeeamReplicationServices
 service-object object VeaamReplication

nat (BackhaultoMGMTNetworks,outside) source static VeeamWANReplicationTarget VeeamReplicationExternalIP description NAT rule for Veeam Replication

access-group Outside in interface outside
access-list Outside extended permit object-group VeeamReplicationServices object-group VeeamReplicationSourceIPs object VeeamGateway01

route BackhaultoMGMTNetworks 10.140.0.0 255.255.0.0 10.254.0.33 1

Nexus

vlan 550
  name Backup_Network

vrf context Epiccloud_Mgmt
  ip route 0.0.0.0/0 10.254.0.2
  ip route 10.107.0.0/24 10.254.0.26
  ip route 172.16.4.0/24 10.254.0.34
  ip route 192.168.4.0/23 10.254.0.26

interface Vlan550
  description VLAN550-Backup_Network
  no shutdown
  mtu 9216
  vrf member Epiccloud_Mgmt
  no ip redirects
  ip address 10.140.50.2/24
  vrrp 150
    priority 20
    address 10.140.50.1
    no shutdown

interface Vlan998
  no shutdown
  vrf member Epiccloud_Mgmt
  ip address 10.254.0.35/29
  vrrp 253
    priority 20
    address 10.254.0.33
    no shutdown

interface Ethernet1/1
  description UCS-FI-01:1/1
  switchport mode trunk
  switchport trunk allowed vlan 500-505,510-511,520-521,530,540-542,545,550,1003
-1004,1500-1506,1600
  spanning-tree port type edge trunk
  channel-group 11 mode active

Hi,

Is this an ASA cluster or a HA failover pair?   Yes ** this was an OR question** These are 2 different features.

Configuration looks fine and you also have hits on the NAT rule. Can you get a capture on the internal interface of the ASA and see if you get the return traffic from the server?

It would be a good idea to take an ELAM capture on the Nexus as well.

__ __

Pablo

HA failover pair of 5508's

I'll get the captures and see what I can see

Turns out the issue was a bad default gateway on the nexus. We were sending the default traffic to a different set of firewalls (once that we are in the process of decommissioning).

Once we updated the default route to point to the ASAs the problem went away.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: