Solved: Egress Interface is not sending to the correct direction

Stevan44 · ‎09-04-2021

I believe that this is NAT issue. The issue is from the inside, when I try to ping or access anything in my DMZ1 or RA subnet it is send to the outside interface. I have confirmed this by doing tracert for 144.168.0.x and 124.140.0.x two other foreign companies networked devices.

I want to be able to send traffic to my DMZ1 and VPN subnet from my inside. The RA VPN client can ping my inside devices but can't see anything in the DMZ1(because its going to the outside as well). From the ASA CLI I can ping the RA VPN clients and anything on the DMZ. DMZ1 has access to Outside\internet.

How can I correct this issue, my guess I need a NAT rule to determine the egress interface or some use the ASA the routing table. I', not sure how it should like, so if you could provide the commands that would be helpful. Thank you

object network DukeLAN
subnet 144.244.244.0 255.255.255.0
description Inside Network

object network DMZ1-Network
subnet 144.168.0.0 255.255.255.0
description DMZ1

object network Obj-Remote-IPSEC-VPN
subnet 124.140.1.0 255.255.255.0

description RA VPN subnet

Current NAT's (some will be removed due to no hits):

nat (outside,outside) source dynamic DMZ1-Network interface description Allow VPN Access from the Outside

nat (any,any) source static DukeLAN DukeLAN destination static DukeLAN DukeLAN no-proxy-arp description Allow inside traffic to go anywhere

nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For Inside VPN Split tunnel

nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description For DMZ VPN Split tunnel

nat (any,outside) source dynamic Obj-Remote-IPSEC-VPN interface description NAT Rule for VPN Clients

nat (dmz1,inside) source static any any destination static DukeLAN DukeLAN no-proxy-arp route-lookup description Allow access for DukeLAN to DMZ1

nat (dmz1,outside) source static any any destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description Allow access for VPN to DMZ1

nat (inside,outside) source static any any destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup description Allow access for VPN to Inside?

Stevan44 · ‎09-05-2021

I couldn't seem to get RA VPN to talk to DMZ1 even after adding this NAT:

nat (Outside,DMZ1) after-auto source static Obj-Remote-IPSEC-VPN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp

Traffic keeps going to the outside

Then I remember to turn off split tunnel for RA VPN client. Now its using the correct interface to access the DMZ1

View solution in original post

Mohammed al Baqari · ‎09-04-2021

Hi,

Your NAT rules mixd up. Do this.

---- remove this.

no nat (any,any) source static DukeLAN DukeLAN destination static DukeLAN
DukeLAN no-proxy-arp description Allow inside traffic to go anywhere

no nat (outside,outside) source dynamic DMZ1-Network interface description
Allow VPN Access from the Outside

no nat (dmz1,outside) source static any any destination static
Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
description Allow access for VPN to DMZ1

no nat (inside,outside) source static any any destination static
Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN no-proxy-arp route-lookup
description Allow access for VPN to Inside?

---- remove the options "no-proxy-arp route-lookup"

---- add dynamic nat rules for dmz and inside to access the internet.

***** please remember to rate useful posts

Stevan44 · ‎09-04-2021

Hi Mohammed,

Thanks for taking a look.

Egress route is still going to the outside. I can't remove route-lookup from the 4th NAT rule it breaks the ablility to ping the inside network from RA Client. The first two NAT rules are the dynamic rules that you ask for.

Current NATS:

nat (inside,outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
nat (dmz1,outside) source dynamic DMZ1-Network interface description Allow DMZ1 Access to the Outside
nat (dmz1,outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN description For DMZ VPN Split tunnel
nat (inside,outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
nat (dmz1,inside) source static any any destination static DukeLAN DukeLAN description Allow access for DukeLAN to DMZ1

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic DukeLAN interface description Allow Inside Access to the Outside
translate_hits = 7631, untranslate_hits = 681
Source - Origin: 144.244.244.0/24, Translated: 107.142.207.220/22
2 (dmz1) to (outside) source dynamic DMZ1-Network interface description Allow DMZ1 Access to the Ouside
translate_hits = 10, untranslate_hits = 0
Source - Origin: 144.168.0.0/24, Translated: 107.142.207.220/22
3 (dmz1) to (outside) source static DMZ1-Network DMZ1-Network destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN description For DMZ VPN Split tunnel
translate_hits = 2, untranslate_hits = 2
Source - Origin: 144.168.0.0/24, Translated: 144.168.0.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
4 (inside) to (outside) source static DukeLAN DukeLAN destination static Obj-Remote-IPSEC-VPN Obj-Remote-IPSEC-VPN route-lookup description For Inside VPN Split tunnel
translate_hits = 28, untranslate_hits = 28
Source - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24
Destination - Origin: 124.140.1.0/24, Translated: 124.140.1.0/24
5 (dmz1) to (inside) source static any any destination static DukeLAN DukeLAN description Allow access for DukeLAN to DMZ1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 144.244.244.0/24, Translated: 144.244.244.0/24

Mohammed al Baqari · ‎09-04-2021

Is it working now? If not check your acls and the routing. Try to do packet
trace to see what's going on

***** please remember to rate useful posts

Stevan44 · ‎09-04-2021

No its not working. Egress route is still going to the outside.

I can't remove route-lookup from the 4th NAT rule it breaks the ablility to ping the inside network from RA Client. The first two NAT rules are the dynamic rules that you ask for.

Mohammed al Baqari · ‎09-04-2021

Have you done what I mentioned about packet-trace, acls, routing?

Stevan44 · ‎09-05-2021

Yes, that's how I'm able to see whats going on. This link explains the issue abut i have not been able to come up with the correct NAT command to fix the issue.

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-traffic-sent-out-incorrect-interface-due-to-nat-rule.html

http://resources.intenseschool.com/cisco-asa-packet-flow-egress-interface-determination/

So far you have clean up the NAT's but the problem remains.

Stevan44 · ‎09-05-2021

I have it working for the inside. Inside cann now access DMZ1 assets by adding this line:

nat (Inside,DMZ1) after-auto source static DukeLAN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp

Now I just have to fix RA VPN access to DMZ.

Stevan44 · ‎09-05-2021

I couldn't seem to get RA VPN to talk to DMZ1 even after adding this NAT:

nat (Outside,DMZ1) after-auto source static Obj-Remote-IPSEC-VPN DMZ1-Network destination static DMZ1-Network DMZ1-Network no-proxy-arp

Traffic keeps going to the outside

Then I remember to turn off split tunnel for RA VPN client. Now its using the correct interface to access the DMZ1