09-20-2011 11:22 AM - edited 03-11-2019 02:27 PM
Hello,
We have a Cisco ASA 8.3 and we're trying to configure NAT with multiple types of NAT.
We have a static NAT to an inside host from 1.1.1.2.
Internet Interface is on 1.1.1.3.
Users get NAT (PAT) on 1.1.1.4
VPN Subnet "No NAT" exclusion is from our LAN to various other locations.
Here are the relevent extracts from our configuration:
object network Server
host 172.19.0.80
nat (inside,outside) static 1.1.1.2
object network Inside_LAN
subnet 172.19.0.0 255.255.255.0
nat (inside,outside) dynamic 1.1.1.4
nat (inside,outside) source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
When the VPN exlusion ACL is applied to the configuration, PAT users have no connectivity to the Internet via TCP though UDP and ICMP traffic still passes. The VPN is operational. With the VPN NAT configuration removed, as expected the VPN fails, but users have connectivity to the Internet.
Can anyone point me in the right direction?
Best regards,
Jacob
09-20-2011 11:31 AM
Can you provide me the LOCAL-VPN-SUBNETS and REMOTE-VPN-LOCATIONS config??? As well as teh crypto map that you are using.
Thanks,
Varun
09-20-2011 11:44 AM
Can you try this:
nat (inside,outside) after-auto source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
Varun
09-20-2011 11:52 AM
Hi Varun,
We've tried the after-auto configuration statement which looks just like that. The VPN works fine with that NAT statement.
object-group network LOCAL-VPN-SUBNETS
network-object object LONDON-INSIDE-NETWORK !!-- This is the inside network 172.16.0.0/24
object-group network REMOTE-VPN-LOCATIONS
group-object FR-DC !!-- Multiple remote subnets 192.168.101.0/24 & 192.168.102.0/24
Thanks
09-20-2011 11:53 AM
crypto map VPN 25 match address LONDON-FR-DC
crypto map VPN 25 set pfs group5
crypto map VPN 25 set peer X.X.X.X
crypto map VPN 25 set ikev1 transform-set ESP-AES-256-SHA
crypto map VPN 25 set reverse-route
crypto map VPN interface outside
09-20-2011 11:57 AM
Hi Jacob,
after using teh after-auto statement you mentioned the VPN works fine, but what about the internet, does that not work????
Could you try the packet-tracer???
packet-tracer input inside tcp 172.16.0.1 23456 4.2.2.2 80 detailed
Can you post the output for it??
Thanks,
Varun
09-20-2011 12:09 PM
Hi Varun,
The address I mentioned earlier was incorrect for the Inside LAN - IP masking etc ;-). The actual address is 10.0.0.0 255.255.252.0. The configuration matches this. With the after-auto statement we have no VPN traffic, but Internet connectivity is good.
BETC-LONDON-ASA# packet-tracer input inside tcp 10.0.1.114 23456 4.2.2.2 80 de$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad7923c8, priority=0, domain=inspect-ip-options, deny=true
hits=1194, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae39d658, priority=70, domain=inspect-http, deny=false
hits=107, user_data=0xae39c540, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Camden_LAN
nat (inside,outside) dynamic 1.1.1.4
Additional Information:
Dynamic translate 10.0.1.114/23456 to 1.1.1.4/64881
Forward Flow based lookup yields rule:
in id=0xad7d3ff8, priority=6, domain=nat, deny=false
hits=959, user_data=0xad7d36e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.252.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad76e5f0, priority=0, domain=inspect-ip-options, deny=true
hits=817, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1205, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_http
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
BETC-LONDON-ASA# sh nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Camden_LAN 1.1.1.4
translate_hits = 976, untranslate_hits = 43
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static LONDON-VPN-SUBNETS LONDON-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
translate_hits = 0, untranslate_hits = 18
Thanks
09-20-2011 12:18 PM
Can you try these nat statements in the same order:
object network Server
host 172.19.0.80
object network Server_public
host 1.1.1.2
object network Inside_LAN
subnet 172.19.0.0 255.255.255.0
object network Inside_LAN_public
host 1.1.1.4
nat (inside,outside) source static Server Server_public
nat (Inside,outside) source dynamic Inside_LAN Inside_LAN_public
nat (inside,outside) source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
Thanks,
Varun
09-20-2011 12:31 PM
Hi Varun,
I have the same results. I have Internet connectivity but no VPN traffic will pass with the PAT NAT statement. The VPN traffic seems to be hitting the dynamic NAT configuration. I removed the NAT configuration completely and then entered the statements in the order that you advised.
BETC-LONDON-ASA# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Inside_LAN PAT_IP
translate_hits = 194, untranslate_hits = 3
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static LONDON-VPN-SUBNETS LONDON-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
translate_hits = 0, untranslate_hits = 15
Thanks
09-20-2011 12:44 PM
Can you take the same packet-tracer output but this time for your VPN traffic, when teh VPN is not working fine, I need to check why the firewall is failing teh VPN connection.
packet-tracer input inside tcp 10.0.1.114 2345 192.168.101.1 80 detailed
Just wanna check if the traffic is getting encrypted or not.
Thanks,
Varun
09-20-2011 12:51 PM
It's hitting the wrong NAT statement:
BETC-LONDON-ASA# packet-tracer input inside tcp 10.0.1.114 23456 192.168.101.1$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.101.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad7923c8, priority=0, domain=inspect-ip-options, deny=true
hits=2713, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic Inside_LAN PAT_IP
Additional Information:
Dynamic translate 10.0.1.114/23456 to 1.1.1.4/39173
Forward Flow based lookup yields rule:
in id=0xa95e6a78, priority=6, domain=nat, deny=false
hits=60, user_data=0xad7f0d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.252.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xad6f20a0, priority=70, domain=encrypt, deny=false
hits=463, user_data=0x0, cs_id=0xae240d58, reverse, flags=0x0, protocol=0
src ip/id=192.0.0.0, mask=224.0.0.0, port=0
dst ip/id=192.168.101.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks
09-20-2011 12:58 PM
This doesnt seem to be normal behavior, can you post the running-config from ASA, you can sanitize the ip's if you want?? What version of ASA are you running.
Thanks,
Varun
09-20-2011 01:10 PM
Hi,
I just remember on one of the case we did this thing, I would suggest if you can do the same.
Delete the nat statement for the VPN traffic and then add it again, by doing:
nat (inside,outside) 1 source static LOCAL-VPN-SUBNETS LOCAL-VPN-SUBNETS destination static REMOTE-VPN-LOCATIONS REMOTE-VPN-LOCATIONS
This would put the Nat statement on top of everything.
Let me know how it goes???
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide