Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2639
Views
0
Helpful
6
Replies

ssh to inside interface of ASA - VPN Tunnel

Go to solution
Firepowered
Level 1
Level 1

‎10-22-2019 04:27 AM

My setup is exactly what is explained here:

 

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/118092-configure-asa-00.html

 

My problem (which off course is now resolved) is : I can't SSH / ASDM to inside interface of the firewall, the solution was to enable 'route lookup' at the end of NAT, this is fine and working.

 

(From the link above)

 

nat (inside,outside) source static obj_192.168.10.0 obj_192.168.10.0 destination
 static obj_172.18.124.0 obj_172.18.124.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.
 
route outside 0.0.0.0 0.0.0.0 198.51.100.252 1

 

What I don't understand is, what difference does it make to enable 'route lookup' if there is only one default route on the firewall? Correct me if I am wrong, but if I don't enable 'route-lookup', it will use the outside interface in the nat, which I think will naturally forward traffic to default gateway? If not, how is packet routed when route-lookup is not enabled?

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎10-22-2019 09:51 AM - edited ‎10-22-2019 09:52 AM

There are few scenarios where you want to use route-lookup , go through these notes below - see under "Configuring Identity NAT "  purpose notes " Determining the Egress Interface" section , it  explains it all

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#29926

Jorge Rodriguez

View solution in original post

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Firepowered

‎10-22-2019 12:02 PM

What is under the object definition VPN_LOCAL and VPN_REMOTE?

 

One of the problems that I usually see is when there is an overlap between the source and destination networks. Since identity NAT is bidirectional in nature, you could match the rule in the reverse direction causing it to route it to the wrong interface.

 

So in your case, say both VPN_LOCAL and VPN_REMOTE are the same, say 10.0.0.0/8. This means your rule can be interpreted in two ways:

 

nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp 

or

nat (inside,outside) source static VPN_REMOTE VPN_REMOTE destination  static VPN_LOCAL VPN_LOCAL no-proxy-arp 
IF I match the first interpretation of the rule, I send the inbound traffic to the inside interface (correctly), but if I match the second one, I send it to the outside. To avoid all this, we use the route-lookup to make these decisions solely on the routing table rather than the nat source and destination interfaces. 
 
This is a fairly complicated concept to write about in one post without real-world examples. Hope this helps. 
 
 
 

 

 

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎10-22-2019 09:51 AM - edited ‎10-22-2019 09:52 AM

There are few scenarios where you want to use route-lookup , go through these notes below - see under "Configuring Identity NAT "  purpose notes " Determining the Egress Interface" section , it  explains it all

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html#29926

Jorge Rodriguez
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-22-2019 09:54 AM

What does your NAT config look like?

 

The route-lookup keyword is used when you want the ASA to use the routing table to determine the egress interface instead of the nat rule. So, for example, if your rule has  (inside, any), it could translate to (inside, inside) or (inside, outside). The route-lookup is meant to avoid that ambiguity and let the routing table take care of finding the egress interface. 

0 Helpful

Go to solution
Firepowered
Level 1
Level 1
In response to Rahul Govindan

‎10-22-2019 11:01 AM

Thanks. I understand that route lookup tells ASA to check the routing table, but if route lookup is not enabled and I have just one nat and default route, how does it make a difference?

 

My NAT

 

nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp route-lookup

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Firepowered

‎10-22-2019 12:02 PM

What is under the object definition VPN_LOCAL and VPN_REMOTE?

 

One of the problems that I usually see is when there is an overlap between the source and destination networks. Since identity NAT is bidirectional in nature, you could match the rule in the reverse direction causing it to route it to the wrong interface.

 

So in your case, say both VPN_LOCAL and VPN_REMOTE are the same, say 10.0.0.0/8. This means your rule can be interpreted in two ways:

 

nat (inside,outside) source static VPN_LOCAL VPN_LOCAL destination static VPN_REMOTE VPN_REMOTE no-proxy-arp 

or

nat (inside,outside) source static VPN_REMOTE VPN_REMOTE destination  static VPN_LOCAL VPN_LOCAL no-proxy-arp 
IF I match the first interpretation of the rule, I send the inbound traffic to the inside interface (correctly), but if I match the second one, I send it to the outside. To avoid all this, we use the route-lookup to make these decisions solely on the routing table rather than the nat source and destination interfaces. 
 
This is a fairly complicated concept to write about in one post without real-world examples. Hope this helps. 
 
 
 

 

 

 

0 Helpful

Go to solution
Firepowered
Level 1
Level 1
In response to Rahul Govindan

‎10-29-2019 03:25 AM

Thanks Govindan, this makes sense.

 

The Subnets are overlapping, the local subnet is 10.35.15.0 the remote subnet is 10.0.0.0/8

0 Helpful

Go to solution
Firepowered
Level 1
Level 1
In response to Rahul Govindan

‎10-30-2019 11:32 PM

Thanks Rahul, it makes to understand it, and I request you to hook me up with a document or something that I can understand this concept end to end.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card