Solved: Cisco ASA NAT Self Generated traffic to AAA not working

eingersoll · ‎02-13-2025

I'm trying to NAT self generated traffic from an ASA to a AAA server, but the NAT statement isn't catching the traffic.

Below is the basic config.

The ASA server when authenticating to the AAA server is using the inside IP address of 10.1.1.50, but I want it to use the NAT'd address of 192.168.200.50.

The traffic is routed over a VTI tunnel and I can't specify the VTI interface in the nat statement, which is why I'm using any.

Can an ASA NAT self generated traffic? or is there a way to do this?

interface GigabitEthernet 0/0
nameif OUTSIDE
security-level 0
ip address 192.168.111.3 255.255.255.0

interface GigabitEthernet 0/1.152
vlan 152
nameif INSIDE
security-level 100
ip address 10.1.1.50 255.255.2555.248

interface Tunnel2
nameif DEV-SERVERFARM
ip address 169.254.253.2 255.255.255.252
tunnel destination 192.168.111.2
tunnel mode IPsec ipv4
tunnel protection IPsec profile MGMT_PROFILE

object network ASANAT
host 192.168.200.50
object network ASAPRIV
host 10.1.1.50
object network SERVERFARM
network-object 192.168.33.0 255.255.255.0
network-object 192.168.44.0 255.255.255.0

nat (any,any) source static ASAPRIV ASANAT destination status SERVERFARM SERVERFARM

route DEV-SERVERFARM 192.168.33.0 255.255.255.0 169.254.253.1
route DEV-SERVERFARM 192.168.34.0 255.255.255.0 169.254.253.1

aaa-server ACS-TACACS+ (INSIDE) host 192.168.33.33

Rob Ingram · ‎02-13-2025

@eingersoll wrote:

Can an ASA NAT self generated traffic? or is there a way to do this?

@eingersoll No. "NAT applies to through traffic only. Traffic generated by the system is not subject to NAT". https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/firewall/asa-922-firewall-config/nat-basics.html

View solution in original post

MHM Cisco World · ‎02-13-2025

Try add management-access inside and check.

MHM

eingersoll · ‎02-13-2025

management-access INSIDE is already in the config

eingersoll · ‎02-13-2025

I can reach the AAA server from the ASA, but the AAA server is seeing the source ip of 10.1.1.50, not 192.168.200.50.

When I do a sh nat det, I see

(any) to (any) source static ASAPRIV ASANET destination static DEV-SERVERFARM DEV-SERVERFARM

translate_hits = 0, untranslate_hits = 0

MHM Cisco World · ‎02-13-2025

nat (inside,any) source static ASAPRIV ASANAT destination status SERVERFARM SERVERFARM

Add inside as source interface in NAT command.

MHM

eingersoll · ‎02-13-2025

I added it in and when I ping the AAA server I get a reply and a show NAT detail give me.

4 (any) to (any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM

translate_hits = 0, untranslate_hits = 0

Source - Origin: 10.1.1.50/32, Translated: 192.168.200.50/32

Destination - Origin: 192.168.33.0/24, 192.168.34.0/24, Translated: 192.168.33.0/24, 192.168.34.0/24

5 (INSIDE) to (any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM

translate_hits = 0, untranslate_hits = 0

Source - Origin: 10.1.1.50/32, Translated: 192.168.200.50/32

Destination - Origin: 192.168.33.0/24, 192.168.34.0/24, Translated: 192.168.33.0/24, 192.168.34.0/24

eingersoll · ‎02-13-2025

If I do a ping INSIDE 192.168.33.33, I don't get a reply and I get an untranslate_hit on the any any NAT.

4 (any) to (any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM

translate_hits = 0, untranslate_hits = 5

Source - Origin: 10.1.1.50/32, Translated: 192.168.200.50/32

Destination - Origin: 192.168.33.0/24, 192.168.34.0/24, Translated: 192.168.33.0/24, 192.168.34.0/24

5 (INSIDE) to (any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM

translate_hits = 0, untranslate_hits = 0

Source - Origin: 10.1.1.50/32, Translated: 192.168.200.50/32

Destination - Origin: 192.168.33.0/24, 192.168.34.0/24, Translated: 192.168.33.0/24, 192.168.34.0/24

MHM Cisco World · ‎02-13-2025

4 (any) to (any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM <<- remove this

Second are you sure there is route for server via VTI not via Outside?

Also

Show run nat <<- let me see all NAT in asa

MHM

MHM Cisco World · ‎02-13-2025

Other solution as workaround if ASA support loopback'

Try add loopback and use it in access aaa server.

MHM

eingersoll · ‎02-13-2025

It's removed and yes, there is a static route

route DEV-SERVERFARM 192.168.33.0 255.255.255.0 169.254.253.1
route DEV-SERVERFARM 192.168.34.0 255.255.255.0 169.254.253.1

sh run nat

nat (INSIDE,any) source static ASAPRIV ASANAT destination static SERVERFARM SERVERFARM

object network DEVNETWORK-NAT

nat (INSIDE,OUTSIDE) dynamic interface

Also ASA's don't support loopback interfaces.

But it looks like based on Rob's comment, and the Cisco Documentation "NAT applies to through traffic only. Traffic generated by the system is not subject to NAT"

MHM Cisco World · ‎02-13-2025

Hmm' I know this point but we looking for workaround.

What is your asa ver. ?

MHM

eingersoll · ‎02-13-2025

9.16(4)62

I've looked at other workarounds, like using a subinterface or an unused interface on the ASA and setting the ip to 192.168.200.50, then setting AAA to use that interface, but I was trying to avoid that if there was a way to NAT the inside interface IP to a different one.

interface GigabitEthernet 0/3

nameif DUMMY_INTERFACE
security-level 100
ip address 192.168.200.50 255.255.2555.255

aaa-server ACS-TACACS+ (DUMMY_INTERFACE) host 192.168.33.33

Rob Ingram · ‎02-13-2025

@eingersoll wrote:

Can an ASA NAT self generated traffic? or is there a way to do this?

@eingersoll No. "NAT applies to through traffic only. Traffic generated by the system is not subject to NAT". https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/firewall/asa-922-firewall-config/nat-basics.html