Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2865
Views
0
Helpful
7
Replies

NAT excempt for VPN

salva
Level 1
Level 1

‎05-23-2019 01:24 PM

Hello all,

 

As a network engineer working on a project to deploy and configure a series of ASA 5506-X running 9.9(2) iOS, I have encountered the following important issue:

When I configure a NAT Exempt rule for traffic flowing from one zone to another of the ASA itself, traffic from zone to zone works as expected with no issues.

When I configure a NAT Exempt rule for traffic flowing from one zone of the ASA to a remote network that resides on the other end of an IPSec VPN tunnel, the ASA with no obvious reason unchecks the "NAT Exempt" checkbox option in ASDM and therefore deletes the NAT entry in the Firewall configuration.

If I go configure one NAT rule for each Group's object separately, the issue disappears.

You can easily understand that when the issue occurs the IPSec VPN tunnel goes down or does not work as expected (you can imagine what that means to a production network..)

 

Is this some kind of bug (in ASDM or iOS versions), does it has to do with the encrypted traffic or is it some kind of security feature on Cisco devices?

 

Thanks everybody, looking forward to any feedback.

 

Salvatore Comi

Labels:
0 Helpful
7 Replies 7

Abheesh Kumar
VIP Alumni
VIP Alumni

‎05-27-2019 12:03 AM

Hi,

Try to create a nat rule like below and add all your local or remote subnets in the object-group

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet

 

Hope This Helps

Abheesh

0 Helpful

salva
Level 1
Level 1
In response to Abheesh Kumar

‎05-27-2019 12:42 PM

Hi,

 

This is the way I configure NATs, but I get the same issue.

It is not a configuration problem I suppose..

 

Thanks

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to salva

‎05-27-2019 10:37 PM


what is error which you are getting while entering the above command for nat..?
0 Helpful

salva
Level 1
Level 1
In response to Abheesh Kumar

‎05-28-2019 02:43 AM

Hi,

I don't get any error when I configure NAT.

But the NAT entries disappear later on. The NAT exempt checkbox gets "unchecked" in ASDM and the NAT statement disappears..

 

Thanks

0 Helpful

salva
Level 1
Level 1
In response to salva

‎05-28-2019 02:45 AM

More precisely:

 

When I configure the NAT rule all is ok at first.

Then a few hours later the client calls and says that the VPN does not work as expected.

When I check the configuration, the NAT rule is not there and I have to configure again.

 

Seems like an iOS bug, but I am not sure..

0 Helpful

Abhijeet Kumar
Level 1
Level 1
In response to salva

‎05-30-2019 07:52 AM

I tried it on mine and it worked fine but I mostly configure it via CLI. Why don't you do this:
- Login to ASA with ASD
- Check "preview commands before sending" from preferences and save
- Create a tunnel and hit apply, at this point you will see all the commands.
- Copy and paste the commands in notepad, remove that group policy thing (It's of no use)
- SSH into the ASA
- Paste all the commands
- write mem
- copy running-config startup-config

Let us know how it goes.
0 Helpful

salva
Level 1
Level 1
In response to Abhijeet Kumar

‎05-30-2019 11:18 AM

 Hello Abhijeet,

 

I will try this to perform my tests, but if configuring directly through CLI is the only way to make NAT function properly, should I suppose it is an ASDM bug?

 

Thanks

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card