NAT Questions

paultribe · ‎08-11-2011

Can anyone help me ?

I would like to know if the following is possible on an ASA, I have tried to get this working but I am having great diffculties:

I have a three interface ASA running 8.3 and I want to have the following functionality:

1) Have some hosts on the DMZ interface use static NAT for bidirectional communications (Which is typical).

2) Have some hosts on the DMZ interface access the Internet using PAT (NAT hide). (For example hosts that are members of a load balanced group so do not need a static entry).

3) Ensure all hosts are accesible from remote access VPN clients using NAT identity (Static, NAT'd the VPN client pool address to itself).

The problem is when I have NAT identity and PAT configured at the same time only one method of access works which I believe is to do with the NAT order of operation.

Is it possible to do what I require ?

Please help .... It is difficult to send a config as the firewall I have been tasked to work on is a complete mess !!!, but I will try and put together the relevant parts and post in due course.

varrao · ‎08-11-2011

Hi Paul,

The first two are very typical and can be done surely, but always for static nat users, if they access internet, they woudl always use the mapped ip and not pat ip.

For the 3rd, in 8.3, there is no nat prefernce, the one which is most specific, would take precedence, we just have two types of nats, auto nat and manual nat, and manual nayt atkes preference. So there is not really a nat exempt or pat preference, it depends upon the flow of traffic, the order in nat table and how specific it is.

-Thanks,

Varun

Thanks,
Varun Rao

paultribe · ‎08-11-2011

When the VPN host tries to access a host in the DMZ that does not have a static NAT I get the following message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port[(idfw_user)] dst interface_name:dst_address/dst_port[(idfw_user)] denied due to
NAT reverse path failure.

varrao · ‎08-11-2011

Hi Paul,

In a packet flow, the packets are checvked for translations, from source to destination and vice-versa as well, if there is a nat statement, which is taking precedence over the nat statement that we are using for the return packet, thats when you see the error, or if there is no translation for the reverse flow, so this might be difficult to point out the missing chunk in your config, but would only be done after having a look at the config and understanding the flow.

-Varun

Thanks,
Varun Rao

paultribe · ‎08-12-2011

Varun (In case you are interested)

I have managed to resolve the issue now. I should have mentioned the task I am doing is also upgrading the ASA from 8.2 to 8.3.

I found that during the upgrade all original No NAT statements that let VPN clients access internal resources also did not work. I found that this was due to the upgrade procedure making the rules "unidirectional". Once I corrected this I applied the same type of No NAT rule to my new DMZ interface and everything now works.

Thanks

Paul

varrao · ‎08-12-2011

Hey thats good, I am very much interested and yes, if you were upgarding to version 8.3, you might hit this bug

CSCti36048and as i said the unidirectional keyword restricts the traffic in only one dircetion, so that caused the error message.

-Varun

Thanks,
Varun Rao