cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
987
Views
5
Helpful
5
Replies

NAT and site to site tunnel issue

Richard Tapp
Level 1
Level 1

We currently have a working tunnel from one of our ASA's to AWS. As we can only have single subnets set in the tunnel due to AWS limitations, our NAT statements have quite wide ranging subnets to catch all the possible combinations.

We have one serer that is required to use the tunnel and now needs internet access.

This is where the issue comes, as soon as we add a specific static NAT for internet access, the AWS flow stops working.

So I am looking for a solution that allows for the tunnel to work and for the server to have just TCP/443 to the internet as well.

5 Replies 5

@Richard Tapp 

I assume that the rule you add is placed above the NAT exemption rule, so all traffic from that source is natted behind the ASAs interface IP address?

What NAT exemption rule do you have in place for AWS and what rule have you added that breaks the access to AWS.

Provide the output of "show nat detail".

 

If I have the Tom-DMZ NAT either before or after the 114 line, then the flow AWS to Tom-DMZ fails.

But if I have the Tom-DMZ NAT in the server on Tom-DMZ can get to the internet.

But only 1 ever works at a time

 

sh nat det | inc 10.0.0.0

114 (Inside) to (outside) source static NETWORK_OBJ_10.0.0.0_9 NETWORK_OBJ_10.0.0.0_9  destination static NETWORK_OBJ_10.x.x.0_21 NETWORK_OBJ_10.x.x.0_21 no-proxy-arp route-lookup

    Source - Origin: 10.0.0.0/9, Translated: 10.0.0.0/9

 

 

# sh nat det | inc Tom-DMZ

121 (Tom-DMZ) to (outside) source dynamic Tom interface

@Richard Tapp 

You've got a different source interface in those 2 nat rules.

What is the source IP address of the server and which interface is it actually connected to

Run packet-tracer from CLI, when each of the NAT rules are configured, upload the output for review.

you've got a different source interface in those 2 nat rules. The tunnel put the inside to outside one in. All interfaces start with 10.

 

What is the source IP address of the server and which interface is it actually connected to. This is on the Tom-DMZ 10.75.120.

 

 

 

 

Tom to AWS Tunnel

 

 

packet-tracer in Tom-DMZ tcp 10.75.120.xx https 10.150.xx.xx h$

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop x.x.x.x using egress ifc  outside

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group M-ENI-DMZ_access_in in interface Tom-DMZ

access-list M-ENI-DMZ_access_in extended permit object-group xxx-Standard-Internet-Outbound object xxxxxxx any

object-group service xxx-Standard-Internet-Outbound

 description: xxx Standard Internet Outbound Ports

 service-object tcp destination eq domain

 service-object tcp destination eq ftp

 service-object tcp destination eq ftp-data

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object udp destination eq domain

 service-object tcp destination eq ssh

Additional Information:

 

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Tom-DMZ,outside) source dynamic Tom interface

Additional Information:

Dynamic translate 10.75.120.xx/443 to xx.xx.xx.xx/48

 

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 7

Type: FLOW-EXPORT

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (Tom-DMZ,outside) source dynamic Tom interface

Additional Information:

 

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 247200484, packet dispatched to next module

 

Result:

input-interface: Tom-DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tom to Internet

packet-tracer in Tom-DMZ tcp 10.75.120.xx https 8.8.8.8 https

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop xx.xx.xx.xx using egress ifc  outside

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group M-ENI-DMZ_access_in in interface Tom-DMZ

access-list M-ENI-DMZ_access_in extended permit object-group xxx-Standard-Internet-Outbound object xxxxxxx any

object-group service xxx-Standard-Internet-Outbound

 description: ISS Standard Internet Outbound Ports

 service-object tcp destination eq domain

 service-object tcp destination eq ftp

 service-object tcp destination eq ftp-data

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object udp destination eq domain

 service-object tcp destination eq ssh

Additional Information:

 

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: FLOW-EXPORT

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 247169104, packet dispatched to next module

 

Result:

input-interface: Tom-DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

 

 

Rob. I added two new NAT rules above the inside / outsite one that the Tunnel config had added.

Both Tom / Outside, first for the AWS traffic and the second for the Internet traffic.

All is good now, thanks for your input, it helped push me in the right direction

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: