Re: Vlan1 to Vlan2 through Outside interface

Pete Sullivan · ‎05-09-2012

Using ASA 8.2(5)

I'm trying to figure out how allow traffic from a host on Vlan2 to Vlan1 using the public address that is NAT'd on the outside interface to a device on Vlan1.

Desired traffic flow

10.100.8.123 (vlan2) ====> 50.50.50.50 (public address) ====> 10.100.1.122 (vlan1)

Current Config

!

interface Vlan1

nameif vlan1

security-level 100

ip address 10.100.1.254 255.255.255.0

!

interface Vlan2

nameif vlan2

security-level 100

ip address 10.100.8.254 255.255.255.0

!

interface Vlan200

nameif outside

security-level 0

ip address 192.168.50.75 255.255.255.0

static (vlan1,outside) 50.50.50.50 10.100.1.122 netmask 255.255.255.255

global (outside) 101 interface

access-group out_acl in interface outside

nat (vlan1) 0 access-list inside_outbound_nat0_acl

nat (vlan1) 101 0.0.0.0 0.0.0.0

nat (vlan2) 0 access-list inside_outbound_nat0_acl

nat (vlan2) 101 0.0.0.0 0.0.0.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list out_acl extended permit icmp any host 50.50.50.50 object-group ping log

access-list out_acl extended permit tcp any host 50.50.50.50 object-group Ports-Servers-PVO

object-group service Ports-Servers-PVO tcp

port-object eq www

port-object eq https

port-object eq 3389

As you can see in the above config, traffic can flow directly from vlan2 to vlan1 (and back), and outside traffic can access 10.100.1.122 through the translated address 50.50.50.50. These functions are working, but when vlan2 tries to access 10.100.1.122 on vlan1 through the public (50.50.50.50) address, the error message below is logged:

305013 172.20.1.1 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.8.123 dst vlan1:172.20.1.1 (type 8, code 0) denied due to NAT reverse path failure

Please help! Like all things Cisco, I feel like the solution would be simple yet far away.

varrao · ‎05-09-2012

Hi Pete,

you need to add these:

static (vlan1,vlan2) 50.50.50.50 10.100.1.122

same-security-traffic permit inter-interface

This should work.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Pete Sullivan · ‎05-10-2012

Thank you Varun, I added this line to the config:

static (vlan1,vlan2) 50.50.50.50 10.100.1.122

And verified that this line was already in the config:

same-security-traffic permit inter-interface

I've also added this ACL

access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0

But the same error message below was generated when I tried to ping 172.20.1.1 from the 10.100.8.0 network:

305013 50.50.50.50 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.8.123 dst vlan1:50.50.50.50 (type 8, code 0) denied due to NAT reverse path failure

What am I missing to make this work? (I ran the clear xlate command after making these changes).

Dan-Ciprian Cicioiu · ‎05-10-2012

Hi Pete,

Please post :

show run static

show run route

show access-list inside_outbound_nat0_acl

Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.

Dan

Pete Sullivan · ‎05-10-2012

This is the output from the sh run static. I used 50.50.50.50 in my example to represent what is 172.20.1.1 in the static entries below.

static (vlan1,outside) 172.20.1.1 10.100.1.122 netmask 255.255.255.255

static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255

sh run route

route outside 0.0.0.0 0.0.0.0 192.168.50.1 1

sh run access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0

Can you help me understand what this means?

Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.

Are you saying that I need to add a flow on nat exempt acl?

Dan-Ciprian Cicioiu · ‎05-10-2012

Pete first of all

Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.

Are you saying that I need to add a flow on nat exempt acl?

No, I am sayin that you should not add this traffic ( 10.100.8.0/24 ->10.100.1.0/24 ) on nat exemption.

This is what I saw in your initial config :

nat (vlan1) 0 access-list inside_outbound_nat0_acl

nat (vlan2) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0

You must reconfigure your static statement:

no static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255

static (vlan1,vlan2) 50.50.50.50 10.100.1.122 netmask 255.255.255.255

Dan

Pete Sullivan · ‎05-10-2012

Dan, I think you did not understand what I was saying when I said "I used 50.50.50.50 in my example to represent what is 172.20.1.1 in the static entries below". The 50.50.50.50 address was only used as an example so that it would be apparent that I was trying to route traffic from an inside vlan to a public address on the ASA which is NAT'd to another address on the inside. Instead of the 50.50.50.50 address, I am actually using 172.20.1.1, so my config looks like this:

Current Config

!

interface Vlan1

nameif vlan1

security-level 100

ip address 10.100.1.254 255.255.255.0

!

interface Vlan2

nameif vlan2

security-level 100

ip address 10.100.8.254 255.255.255.0

!

interface Vlan200

nameif outside

security-level 0

ip address 192.168.50.75 255.255.255.0

static (vlan1,outside) 172.20.1.1 10.100.1.122 netmask 255.255.255.255

static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255

global (outside) 101 interface

access-group out_acl in interface outside

nat (vlan1) 101 0.0.0.0 0.0.0.0

nat (vlan2) 101 0.0.0.0 0.0.0.0

nat (outside) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list out_acl extended permit tcp any host 10.100.1.122

access-list out_acl extended permit icmp any host 172.20.1.1 object-group ping log

access-list out_acl extended permit tcp any host 172.20.1.1 object-group Ports-Servers-PVO

object-group service Ports-Servers-PVO tcp

port-object eq www

port-object eq https

port-object eq 3389

My question is: How can I allow 10.100.8.0/24 on vlan2 access to 172.20.1.1 (which is the public address NAT'd to the vlan1 address 10.100.1.122)? What in my configuration needs to be changed/added?

I tried removing the two ACL entries from the inside_outbound_nat0_acl but that only caused the traffic between vlan1 and vlan2 to quit working, it did not help with allowing vlan2 access to the 172.20.1.1 address.

Thanks