12-19-2012 09:53 AM - edited 03-11-2019 05:39 PM
Hi,
I am trying to get my backup traffic from my Main office 172.28.0.18 Server to Remote office Server 192.168.100.3 via the Site-To-Site tunnel. My problem is it's getting drop by the NAT rule.
Packet trace below.
ciscoasa# packet-tracer input outside1 tcp 208.124.202.44 135 192.168.100.3 135
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.100.0 255.255.255.240 inside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside1_access_in in interface outside1
access-list outside1_access_in extended permit object-group Veeam-Connection object-group DM_INLINE_NETWORK_3 host 192.168.100.3
object-group service Veeam-Connection
service-object object Veeam-Transport
service-object object Veeam-Vmware-Data
service-object tcp destination eq https
service-object object Veeam-Transmission
service-object object Veeam-Deploy
service-object object Veeam-Deploy1
service-object object Veeam-Installer
service-object object Veeam-Deploy2
object-group network DM_INLINE_NETWORK_3
network-object object Primus
network-object object Rogers
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network INSIDE
nat (inside,outside1) dynamic interface
Additional Information:
Result:
input-interface: outside1
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Do I need to add another NAT rule before "(inside) to (outside1) source dynamic INSIDE interface" with the specific services that I need, would that fix my problem?
Thank you.
Solved! Go to Solution.
12-19-2012 11:02 AM
Hi,
Yes the last time you have been able to use the old NAT0 configuration ( "nat (inside) 0 x.x.x.x y.y.y.y" or "nat (inside) 0 access-list ACL") has been with 8.2 software.
In software levels 8.3 and forward the NAT has changed.
Looking at your configuration related to the L2L VPN it would seem you could configure the following NAT to allow connections using the real IP addresses of the local and remote hosts
object network LOCAL-LAN
subnet 192.168.100.0 255.255.255.240
object network REMOTE-LAN
subnet 172.28.0.0 255.255.0.0
nat (inside,outside1) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
The above has/does the following
Also if you need to make ACL rules to allow some traffic, remember to use the actual LAN IP addresses in the ACL rules.
Please rate if the information was helpfull. Ask more if needed
- Jouni
12-19-2012 10:00 AM
Hi,
Can you copy/paste here the ACL that defines the tunneled traffic?
Should the hosts on each end form connection with eachother with the actual/local IP addresses or with some public IP addresses?
Usually in L2L VPN (when possible) you configure NAT0/NAT Exempt type of NAT setup so that the local and remote networks can communicate with eachother through the L2L VPN without using any NAT
Also, I don't think its possible to test L2L VPN traffic with "packet-tracer" command UNLESS you are testing the traffic originating from your local protected networks to the remote networks. In that case the "packet-tracer" command actually brings up the L2L VPN if its working properly.
- Jouni
12-19-2012 10:52 AM
Hello,
I did try doing the NAT0 but it's depricated in my version.
access-list outside1_cryptomap; 1 elements; name hash:
access-list outside1_cryptomap line 1 extended permit ip object LAN object Apptionlan1
access-list outside1_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.240 172.28.0.0 255.255.0.0
12-19-2012 11:02 AM
Hi,
Yes the last time you have been able to use the old NAT0 configuration ( "nat (inside) 0 x.x.x.x y.y.y.y" or "nat (inside) 0 access-list ACL") has been with 8.2 software.
In software levels 8.3 and forward the NAT has changed.
Looking at your configuration related to the L2L VPN it would seem you could configure the following NAT to allow connections using the real IP addresses of the local and remote hosts
object network LOCAL-LAN
subnet 192.168.100.0 255.255.255.240
object network REMOTE-LAN
subnet 172.28.0.0 255.255.0.0
nat (inside,outside1) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
The above has/does the following
Also if you need to make ACL rules to allow some traffic, remember to use the actual LAN IP addresses in the ACL rules.
Please rate if the information was helpfull. Ask more if needed
- Jouni
12-19-2012 12:00 PM
Hello,
This is one very nice detail explanation and resolution. Much needed for a guy that as not touch Cisco firewall since version 6.x.
Thank you very much for your help.
12-19-2012 12:41 PM
I started out with 6.3 software myself and it was a shock (the command/configuration format) after only configuring Cisco switches and router before that.
Please let me know if the above configuration helped to solve your problem.
If it did, please mark the question as answered
- Jouni
12-20-2012 02:29 PM
From 8.4 you should add route-lookup and no-proxy-arp to the NAT lines if you don't want strange errors.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide