Solved: Upgrading to ASA 9 - Unable to NAT Exempt

aelsbernd · ‎05-05-2013

Trying to upgrade to ASA 9....

We have a few remote easy vpn ASA 5505 that connect but I am unable to ping the remote LAN. How can I exempt these networks from what I have here.....

(What I currently have for the 5505s - not working)

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

(What I currently have for VPN users - seems to be working)

nat (inside,outside) source static DYNAMIC-INSIDE DYNAMIC-INSIDE destination static VPN VPN no-proxy-arp

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Let me know if there any info you need or if I'm way off on this.

Jouni Forss · ‎05-05-2013

Hi,

The configurations you have for VPN Clients is basicly the way to do NAT Exempt for all remote networks behind a VPN connection whether its a VPN Client pool EasyVPN Client or L2L VPN.

The basic format is

object network LOCAL-LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

or incase you have several networks at local and remote sites then you could use

object-group network LOCAL-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network REMOTE-LAN

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The configuration you have currently

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

NATs the IP addresses inside DYNAMIC-INSIDE to the "outside" interface IP address because of the parameter "interface"

So basicly you should remove this configuration and replace it with for example the ones I mentioned. Naturally name then as you see fit and use the networks that apply to your situation.

Hopefully this helps

Remember to mark the question as answered if it did and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-05-2013

Hi,

The configuration you mention

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Will only override the new type of NAT0 / NAT Exempt configuration if traffic doesnt match the configured rule.

So on the basis of that, please check that DYNAMIC-INSIDE and REMOTE-NETWORKS match the actual networks you have configured for the VPN connections. Make sure they contain the networks related to the Easy VPN connections.

If you dont have many configurations on the ASA then naturally removing the last NAT configuration (The Dynamic PAT) makes it so that ASA doesnt NAT any traffic past the ASA and this is why the connections work then.

So doublecheck the networks in the NAT configurations.

Or alternatively provide us with the complete NAT configurations and the configuration of the related "object" and "object-group" used. Also mentione the local networks and remote networks.

- Jouni

View solution in original post

Jouni Forss · ‎05-05-2013

Hi,

The configurations you have for VPN Clients is basicly the way to do NAT Exempt for all remote networks behind a VPN connection whether its a VPN Client pool EasyVPN Client or L2L VPN.

The basic format is

object network LOCAL-LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

or incase you have several networks at local and remote sites then you could use

object-group network LOCAL-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network REMOTE-LAN

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The configuration you have currently

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

NATs the IP addresses inside DYNAMIC-INSIDE to the "outside" interface IP address because of the parameter "interface"

So basicly you should remove this configuration and replace it with for example the ones I mentioned. Naturally name then as you see fit and use the networks that apply to your situation.

Hopefully this helps

Remember to mark the question as answered if it did and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

aelsbernd · ‎05-05-2013

Jouni,

Thanks for the reply. I have my config now set to:

nat (inside,outside) source static DYNAMIC-INSIDE DYNAMIC-INSIDE destination static REMOTE-NETWORKS REMOTE-NETWORKS

Still not working for me.... I believe it has something to do with this line...

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

When this line is removed, I am able to ping the remote networks however the LAN i'm on now loses internet access.

Jouni Forss · ‎05-05-2013

Hi,

The configuration you mention

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Will only override the new type of NAT0 / NAT Exempt configuration if traffic doesnt match the configured rule.

So on the basis of that, please check that DYNAMIC-INSIDE and REMOTE-NETWORKS match the actual networks you have configured for the VPN connections. Make sure they contain the networks related to the Easy VPN connections.

If you dont have many configurations on the ASA then naturally removing the last NAT configuration (The Dynamic PAT) makes it so that ASA doesnt NAT any traffic past the ASA and this is why the connections work then.

So doublecheck the networks in the NAT configurations.

Or alternatively provide us with the complete NAT configurations and the configuration of the related "object" and "object-group" used. Also mentione the local networks and remote networks.

- Jouni

aelsbernd · ‎05-05-2013

Oh wow, that was it.... Silly mistake.... typo in the IP addresses.

Thank you for pointing me in the right direction.

Jouni Forss · ‎05-05-2013

Great to hear it working now

- Jouni