Cisco ASA 8.3 - NAT with PAT, Static NAT, and VPN Exclusion

bunce.jake · ‎09-20-2011

Hello,

We have a Cisco ASA 8.3 and we're trying to configure NAT with multiple types of NAT.

We have a static NAT to an inside host from 1.1.1.2.

Internet Interface is on 1.1.1.3.

Users get NAT (PAT) on 1.1.1.4

VPN Subnet "No NAT" exclusion is from our LAN to various other locations.

Here are the relevent extracts from our configuration:

object network Server

host 172.19.0.80

nat (inside,outside) static 1.1.1.2

object network Inside_LAN

subnet 172.19.0.0 255.255.255.0

nat (inside,outside) dynamic 1.1.1.4

nat (inside,outside) source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

When the VPN exlusion ACL is applied to the configuration, PAT users have no connectivity to the Internet via TCP though UDP and ICMP traffic still passes. The VPN is operational. With the VPN NAT configuration removed, as expected the VPN fails, but users have connectivity to the Internet.

Can anyone point me in the right direction?

Best regards,

Jacob

varrao · ‎09-20-2011

Can you provide me the LOCAL-VPN-SUBNETS and REMOTE-VPN-LOCATIONS config??? As well as teh crypto map that you are using.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎09-20-2011

Can you try this:

nat (inside,outside) after-auto source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

Varun

Thanks,
Varun Rao

bunce.jake · ‎09-20-2011

Hi Varun,

We've tried the after-auto configuration statement which looks just like that. The VPN works fine with that NAT statement.

object-group network LOCAL-VPN-SUBNETS

network-object object LONDON-INSIDE-NETWORK !!-- This is the inside network 172.16.0.0/24

object-group network REMOTE-VPN-LOCATIONS

group-object FR-DC !!-- Multiple remote subnets 192.168.101.0/24 & 192.168.102.0/24

Thanks

bunce.jake · ‎09-20-2011

crypto map VPN 25 match address LONDON-FR-DC

crypto map VPN 25 set pfs group5

crypto map VPN 25 set peer X.X.X.X

crypto map VPN 25 set ikev1 transform-set ESP-AES-256-SHA

crypto map VPN 25 set reverse-route

crypto map VPN interface outside

varrao · ‎09-20-2011

Hi Jacob,

after using teh after-auto statement you mentioned the VPN works fine, but what about the internet, does that not work????

Could you try the packet-tracer???

packet-tracer input inside tcp 172.16.0.1 23456 4.2.2.2 80 detailed

Can you post the output for it??

Thanks,

Varun

Thanks,
Varun Rao

bunce.jake · ‎09-20-2011

Hi Varun,

The address I mentioned earlier was incorrect for the Inside LAN - IP masking etc ;-). The actual address is 10.0.0.0 255.255.252.0. The configuration matches this. With the after-auto statement we have no VPN traffic, but Internet connectivity is good.

BETC-LONDON-ASA# packet-tracer input inside tcp 10.0.1.114 23456 4.2.2.2 80 de$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad7923c8, priority=0, domain=inspect-ip-options, deny=true

hits=1194, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xae39d658, priority=70, domain=inspect-http, deny=false

hits=107, user_data=0xae39c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network Camden_LAN

nat (inside,outside) dynamic 1.1.1.4

Additional Information:

Dynamic translate 10.0.1.114/23456 to 1.1.1.4/64881

Forward Flow based lookup yields rule:

in id=0xad7d3ff8, priority=6, domain=nat, deny=false

hits=959, user_data=0xad7d36e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.0.0.0, mask=255.255.252.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xad76e5f0, priority=0, domain=inspect-ip-options, deny=true

hits=817, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1205, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_inspect_http

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

BETC-LONDON-ASA# sh nat

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic Camden_LAN 1.1.1.4

translate_hits = 976, untranslate_hits = 43

Manual NAT Policies (Section 3)

1 (inside) to (outside) source static LONDON-VPN-SUBNETS LONDON-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

translate_hits = 0, untranslate_hits = 18

Thanks

varrao · ‎09-20-2011

Can you try these nat statements in the same order:

object network Server

host 172.19.0.80

object network Server_public

host 1.1.1.2

object network Inside_LAN

subnet 172.19.0.0 255.255.255.0

object network Inside_LAN_public

host 1.1.1.4

nat (inside,outside) source static Server Server_public

nat (Inside,outside) source dynamic Inside_LAN Inside_LAN_public

nat (inside,outside) source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

Thanks,

Varun

Thanks,
Varun Rao

bunce.jake · ‎09-20-2011

Hi Varun,

I have the same results. I have Internet connectivity but no VPN traffic will pass with the PAT NAT statement. The VPN traffic seems to be hitting the dynamic NAT configuration. I removed the NAT configuration completely and then entered the statements in the order that you advised.

BETC-LONDON-ASA# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic Inside_LAN PAT_IP

translate_hits = 194, untranslate_hits = 3

Manual NAT Policies (Section 3)

1 (inside) to (outside) source static LONDON-VPN-SUBNETS LONDON-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

translate_hits = 0, untranslate_hits = 15

Thanks

varrao · ‎09-20-2011

Can you take the same packet-tracer output but this time for your VPN traffic, when teh VPN is not working fine, I need to check why the firewall is failing teh VPN connection.

packet-tracer input inside tcp 10.0.1.114 2345 192.168.101.1 80 detailed

Just wanna check if the traffic is getting encrypted or not.

Thanks,

Varun

Thanks,
Varun Rao

bunce.jake · ‎09-20-2011

It's hitting the wrong NAT statement:

BETC-LONDON-ASA# packet-tracer input inside tcp 10.0.1.114 23456 192.168.101.1$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.101.0 255.255.255.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xad7923c8, priority=0, domain=inspect-ip-options, deny=true

hits=2713, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source dynamic Inside_LAN PAT_IP

Additional Information:

Dynamic translate 10.0.1.114/23456 to 1.1.1.4/39173

Forward Flow based lookup yields rule:

in id=0xa95e6a78, priority=6, domain=nat, deny=false

hits=60, user_data=0xad7f0d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.0.0.0, mask=255.255.252.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 4

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad6f20a0, priority=70, domain=encrypt, deny=false

hits=463, user_data=0x0, cs_id=0xae240d58, reverse, flags=0x0, protocol=0

src ip/id=192.0.0.0, mask=224.0.0.0, port=0

dst ip/id=192.168.101.0, mask=255.255.255.0, port=0, dscp=0x0

input_ifc=any, output_ifc=outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

varrao · ‎09-20-2011

This doesnt seem to be normal behavior, can you post the running-config from ASA, you can sanitize the ip's if you want?? What version of ASA are you running.

Thanks,

Varun

Thanks,
Varun Rao

varrao · ‎09-20-2011

Hi,

I just remember on one of the case we did this thing, I would suggest if you can do the same.

Delete the nat statement for the VPN traffic and then add it again, by doing:

nat (inside,outside) 1 source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS

This would put the Nat statement on top of everything.

Let me know how it goes???

Varun

Thanks,
Varun Rao