Solved: NAT/VPN traffic

apptionadmin · ‎12-19-2012

Hi,

I am trying to get my backup traffic from my Main office 172.28.0.18 Server to Remote office Server 192.168.100.3 via the Site-To-Site tunnel. My problem is it's getting drop by the NAT rule.

Packet trace below.

ciscoasa# packet-tracer input outside1 tcp 208.124.202.44 135 192.168.100.3 135

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.100.0 255.255.255.240 inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside1_access_in in interface outside1

access-list outside1_access_in extended permit object-group Veeam-Connection object-group DM_INLINE_NETWORK_3 host 192.168.100.3

object-group service Veeam-Connection

service-object object Veeam-Transport

service-object object Veeam-Vmware-Data

service-object tcp destination eq https

service-object object Veeam-Transmission

service-object object Veeam-Deploy

service-object object Veeam-Deploy1

service-object object Veeam-Installer

service-object object Veeam-Deploy2

object-group network DM_INLINE_NETWORK_3

network-object object Primus

network-object object Rogers

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network INSIDE

nat (inside,outside1) dynamic interface

Additional Information:

Result:

input-interface: outside1

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Do I need to add another NAT rule before "(inside) to (outside1) source dynamic INSIDE interface" with the specific services that I need, would that fix my problem?

Thank you.

Jouni Forss · ‎12-19-2012

Hi,

Yes the last time you have been able to use the old NAT0 configuration ( "nat (inside) 0 x.x.x.x y.y.y.y" or "nat (inside) 0 access-list ACL") has been with 8.2 software.

In software levels 8.3 and forward the NAT has changed.

Looking at your configuration related to the L2L VPN it would seem you could configure the following NAT to allow connections using the real IP addresses of the local and remote hosts

object network LOCAL-LAN

subnet 192.168.100.0 255.255.255.240

object network REMOTE-LAN

subnet 172.28.0.0 255.255.0.0

nat (inside,outside1) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The above has/does the following

First Object is to define your local LAN network
Second Object is to define the remote LAN behind the L2L VPN connection
The NAT command performs NAT between interfaces "inside" and "outside1"
- Specifically when the source network is your LAN and the destination network is REMOTE-LAN then NEITHER of the LAN networks will be NATed. This is why you have the same Object configured twice in the NAT configuration.

Also if you need to make ACL rules to allow some traffic, remember to use the actual LAN IP addresses in the ACL rules.

Please rate if the information was helpfull. Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎12-19-2012

Hi,

Can you copy/paste here the ACL that defines the tunneled traffic?

Should the hosts on each end form connection with eachother with the actual/local IP addresses or with some public IP addresses?

Usually in L2L VPN (when possible) you configure NAT0/NAT Exempt type of NAT setup so that the local and remote networks can communicate with eachother through the L2L VPN without using any NAT

Also, I don't think its possible to test L2L VPN traffic with "packet-tracer" command UNLESS you are testing the traffic originating from your local protected networks to the remote networks. In that case the "packet-tracer" command actually brings up the L2L VPN if its working properly.

- Jouni

apptionadmin · ‎12-19-2012

Hello,

I did try doing the NAT0 but it's depricated in my version.

access-list outside1_cryptomap; 1 elements; name hash:

access-list outside1_cryptomap line 1 extended permit ip object LAN object Apptionlan1

access-list outside1_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.240 172.28.0.0 255.255.0.0

Jouni Forss · ‎12-19-2012

Hi,

Yes the last time you have been able to use the old NAT0 configuration ( "nat (inside) 0 x.x.x.x y.y.y.y" or "nat (inside) 0 access-list ACL") has been with 8.2 software.

In software levels 8.3 and forward the NAT has changed.

Looking at your configuration related to the L2L VPN it would seem you could configure the following NAT to allow connections using the real IP addresses of the local and remote hosts

object network LOCAL-LAN

subnet 192.168.100.0 255.255.255.240

object network REMOTE-LAN

subnet 172.28.0.0 255.255.0.0

nat (inside,outside1) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The above has/does the following

First Object is to define your local LAN network
Second Object is to define the remote LAN behind the L2L VPN connection
The NAT command performs NAT between interfaces "inside" and "outside1"
- Specifically when the source network is your LAN and the destination network is REMOTE-LAN then NEITHER of the LAN networks will be NATed. This is why you have the same Object configured twice in the NAT configuration.

Also if you need to make ACL rules to allow some traffic, remember to use the actual LAN IP addresses in the ACL rules.

Please rate if the information was helpfull. Ask more if needed

- Jouni

apptionadmin · ‎12-19-2012

Hello,

This is one very nice detail explanation and resolution. Much needed for a guy that as not touch Cisco firewall since version 6.x.

Thank you very much for your help.

Jouni Forss · ‎12-19-2012

I started out with 6.3 software myself and it was a shock (the command/configuration format) after only configuring Cisco switches and router before that.

Please let me know if the above configuration helped to solve your problem.

If it did, please mark the question as answered

- Jouni

Peter Koltl · ‎12-20-2012

From 8.4 you should add route-lookup and no-proxy-arp to the NAT lines if you don't want strange errors.