Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
805
Views
5
Helpful
0
Replies

Strange after-auto nat behaviour when using "any" as source

Chess Norris
Level 4
Level 4

‎06-14-2021 05:56 AM - edited ‎06-14-2021 06:23 AM

Hi,

I was working on an issue a customer of mine had with NAT. The customer decided to tunnel all remote VPN and have the traffic u-turn on the outside interface. I created a nat (outside,outside) rule for this like I've done many times before for customers that want this feature. However, the VPN users couldn't reach Internet  after we enabled the tunnel all policy. After some troubleshooting with packet-tracer, I saw that the following nat rule was hit at the end on phase 9 and caused the issue -

nat (any,outside) after-auto source dynamic any interface. The output from packet-tracer looked like this 


Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (any,outside) after-auto source dynamic any interface


The solution was to either change (any,outside) to specific source interfaces or to change the source to something else than any, like nat (any,outside) after-auto source dynamic RFC1918 interface

After changing to the above nat rule, the packet-tracer still hit the after-auto rule, but this time it's allowed.

 

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,outside) after-auto source dynamic RFC1918 interface

Anyone have an idea on why this happen? Does the "any" perhaps match on both ingress and egress traffic? 

Thanks

/Chess

 

0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card