NAT problem on additional interface using ASDM

ITGuyChicago · ‎04-18-2011

I'm having a problem routing (natting??) through a new interface. I have Inside, Outside, and Outside2. Outside is a DSL line, Outside2 is a dedicated 3MB line that I want to use just for VPN access to a hosting provider. Inside and Outside interfaces work fine with default route.

When adding static routes for VPN access I get a error on the Packet Tracer that looks like it is hitting the NAT for the Outside interface.... I removed the static route for now but can someone point me to what's wrong with the config. I'm using the ASDM application and I think the issue is with how I've tried to configure the NAT.

Here is the config... When the static routes are in, the Packet Tracer shows the routing through the correct interface but fails on the NAT side.

interface Ethernet0/0
description DSL Line
nameif Outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
description Inside Office Interface
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
description T1's
nameif Outside2
security-level 0
ip address X.X.X.X 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.0.10.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name X.net
object-group service CiscoVPN
service-object udp eq 10000
service-object udp eq 4500
service-object udp eq isakmp
object-group service Email
description E-mail and secure E-mail
service-object tcp eq 465
service-object tcp eq 993
service-object tcp eq 995
service-object tcp eq imap4
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq ssh
object-group service FTPandSFTP
description FTP Grouping and custom ports
service-object tcp eq 10021
service-object tcp eq 10022
service-object tcp eq 2022
service-object tcp eq 2121
service-object tcp eq 5620
service-object tcp eq 5630
service-object tcp eq 8021
service-object tcp eq 990
service-object tcp eq 9964
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service GMail
service-object tcp eq 465
service-object tcp eq 587
service-object tcp eq 995
object-group service InstantMessage
description Trillion and others
service-object tcp eq 1863
service-object tcp eq 4443
service-object tcp eq 811
service-object tcp eq aol
object-group service InstantMessageUDP udp
port-object eq 4443
port-object eq 5190
port-object eq 811
object-group icmp-type PingGroup
description Ping group for ping and tracert
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group service VPN
service-object tcp eq 10000
object-group service WebServices tcp
port-object eq www
port-object eq https
port-object eq domain
object-group service DM_INLINE_SERVICE_1
group-object CiscoVPN
group-object VPN
access-list Inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list Outside_access_in extended permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 object-group WebServices
access-list Outside_access_in extended permit icmp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 object-group PingGroup
access-list Outside_access_in extended permit object-group CiscoVPN 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit object-group Email 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit object-group FTPandSFTP 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit object-group GMail 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit object-group InstantMessage 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit object-group VPN 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Outside_access_in extended permit udp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 object-group InstantMessageUDP
access-list Outside2_access_in extended permit tcp X.X.X.X 255.255.255.0 192.168.1.0 255.255.255.0 object-group WebServices
access-list Outside2_access_in extended permit object-group DM_INLINE_SERVICE_1 X.X.X.X 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Outside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
global (Outside2) 1 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (Outside2) 0 192.168.1.0 255.255.255.0
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Outside2_access_in in interface Outside2
route Outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.253 Inside
dhcpd dns 192.168.1.2 interface Inside
dhcpd wins 192.168.1.2 interface Inside
dhcpd lease 50000 interface Inside
dhcpd domain bswift.net interface Inside
dhcpd enable Inside
!
dhcpd address 10.0.10.2-10.0.10.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
no asdm history enable

Anu M Chacko · ‎04-18-2011

Hi Roger,

So you're having issues with sending VPN traffic through the Outside2 interface,right? What type of VPN are you using? If you are using remote access VPN, VPN traffic has to be exempted from getting NAT-ed.

On the route side, you need a default route for the Outside2 interface:

route Outside2 0.0.0.0 0.0.0.0

Regards,

Anu.

ITGuyChicago · ‎04-18-2011

Anu, I'm using a Cisco VPN client on the Inside interface. It works going out the Outside interface using the default route but when I added a static route and the NAT rule it fails when going out through the Outside2 interface. From what I can tell it's trying to use the Outside interface NAT and not the Outside2 NAT. I tried just doing http through that interface and get the same issue.

Roger

Anu M Chacko · ‎04-18-2011

Hey Roger,

To what network are you trying to connect to via VPN? I understand that you're using Remote access VPN. So, the VPN client host should be on the outside trying to connect to your secure network. I think you're trying to send HTTP traffic through the Internet, not through the VPN tunnel. In that case, add:

nat (Inside) 1 0.0.0.0 0.0.0.0

Also, you will need a route to the Outside2 interface.

Hope this helps!!!

Regards,

Anu.

P.S. Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

ITGuyChicago · ‎04-18-2011

Anu, I had to remove the two static routes I had in for Outside2 so the developers could continue to work. When I have the static route's in place the routing appears to be working but fails on NAT. I do have a nat (Inside) 101 0.0.0.0 0.0.0.0 but I think what is happening is the packets are hitting the first nat statment for the Outside interface and not hitting or have the wrong nat for Outside2 interface. What should the nat look like for inside, outside, and outside2.

From the running config

nat-control
global (Outside) 101 interface
global (Outside2) 1 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (Outside2) 0 192.168.1.0 255.255.255.0

Anu M Chacko · ‎04-18-2011

Roger,

In the configuration,

global (Outside) 101 interface
global (Outside2) 1 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
nat (Outside2) 0 192.168.1.0 255.255.255.0

there is no nat statement for the global (Outside2) 1 interface.Every nat command must be matched with a global command. You do have a global (Outside2) 1 interface but you're missing the respective nat command. Traffic from the inside should get dynamically translated to the Outside2 interface.

nat (Inside) 101 0.0.0.0 0.0.0.0 is matched with global (Outside) 101 interface. So you need to add the following command if you want the traffic from the inside network to get translated on the Outside2 interface.

nat (Inside) 1 0.0.0.0 0.0.0.0

With the static routes, the packet-tracer fails on NAT because the network on the inside is not specified, which you have to with the above NAT command. Try adding this nat command along with the static route. Hope this explanation is clear enough.

Let me know how it goes.

Regards,

Anu.

ITGuyChicago · ‎04-18-2011

Thanks Anu, I think that is it. I have to wait till afterhours to test the changes though.

Thanks,

Roger

Anu M Chacko · ‎04-18-2011

Sure. Let me know how it goes.

Regards,

Anu.

P.S. Please mark the question as answered if it has been resolved. Do rate helpful posts.Thanks.

ITGuyChicago · ‎04-19-2011

Didn't work.... First I added the static routes with no issue. Then added the additional nat though the command line but got a error saying it already existed. I deleted the nat entry in ASDM and then manually added both nat statements, this time no error. Saved the config with no issues Going to packet tracer I still received the same error I had before. The Nat even with the correct route was trying to use the (Outside) nat and not the (Outside2) nat..

The weird part was when I first added the second nat statement and it came back with an error saying it was already there, I looked at the running config and it did not show it....

Not sure what to try now.

Anu M Chacko · ‎04-24-2011

Roger,

I'm still not clear if you are trying to pass Internet traffic or VPN traffic through Outside2 interface.

1. If you are trying to connect to the internal network from outside via Remote access VPN , then you need to exempt this traffic from being natted. The command:nat (Outside2) 0 192.168.1.0 255.255.255.0 is incorrect.

Please change this to:

access-list nonat permit ip host host

nat (Inside) 0 access-list nonat

route Outside2 0.0.0.0 0.0.0.0

2. Or, if you are trying to send Internet traffic through the Outside2 interface from the Inside network, you just need:

nat(Inside) 101 0.0.0.0 0.0.0.0

glob(Outside2) 101 interface

route Outside2 0.0.0.0 0.0.0.0

no nat (Outside2) 0 192.168.1.0 255.255.255.0

Also, it would be great if you could use CLI to make these changes.

Thanks,

Anu.