Solved: NAT Configuration on ASA 5506X hitting wrong statement for VPN tunnel

gaskincharles · ‎09-06-2017

I have a site-2-site VPN tunnel setup. I appear to be getting one way traffic, because I get deencap, but not encaps. After looking at the packet tracer I see that the Phase3 step of NATing is using the wrong nat statement. I believe that using the nat (any,outside) after-auto source dynamic any interface, cmd will force the dynamic statement to be chosen last. I know there's an order of operation when it comes to NAT, but I assumed the most specific would always be chosen first. Could someone throw a clue my way if they think this cmd would do the trick?

nat (inside,outside) source static AAA AAA destination static 102 102 no-proxy-arp route-lookup
nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-www OBJ-TCP-www
nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-3389 OBJ-TCP-3389
nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-smtp OBJ-TCP-smtp
nat (inside,outside) source static 192.168.149.2 interface service OBJ-TCP-imap4 OBJ-TCP-imap4
nat (any,outside) source dynamic any interface

packet-tracer input inside icmp 192.168.149.2 8 0 10.40.0.20

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.149.2/0 to 100.100.100.100/42129

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) source dynamic any interface
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22188, packet dispatched to next module

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Jon Marshall · ‎09-06-2017

Using the "after-auto" keyword will move the dynamic statement to section 3 so yes it should mean any more specific rules, as long as they are in section 1 or 2, should be used first.

As to why it is not choosing the more specific now, difficult to say with just the configuration you posted.

Jon

View solution in original post

Jon Marshall · ‎09-06-2017

Using the "after-auto" keyword will move the dynamic statement to section 3 so yes it should mean any more specific rules, as long as they are in section 1 or 2, should be used first.

As to why it is not choosing the more specific now, difficult to say with just the configuration you posted.

Jon

Spooster IT Services · ‎09-06-2017

Hi gaskincharles,

Yes, most specific would always be chosen first. Can you cross check the object/object-group AAA and 102 that AAA have 192.168.149.x/x subnet and 102 have 10.40.0.x/x subnet?

Spooster IT Services Team