Solved: VPN ASA inside Interface and ip pool are one same Subnet

mahesh18 · ‎01-19-2014

Hi Everyone,

I have configured RA VPN full tunnel.

Inside interface of ASA is

Vlan1 inside 10.0.0.1 255.255.255.0 CONFIG

ip local pool 10-pool 10.0.0.51-10.0.0.100 mask 255.255.255.0

Need to know is it good design to have both on same subnet?

When i access the Switch connecting to VPN ASA inside interface via--https://10.0.0.2

which has IP 10.0.0.2 while using Remote VPN connection to ASA it does not work gives error

message as below

Jan 19 2014 19:42:46: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51077(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure.

Jan 19 2014 19:42:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.0.0.51/51078(LOCAL\ipsec-user) dst inside:10.0.0.2/443 denied due to NAT reverse path failure

Jan 19 2014 19:42:59: %ASA-6-302014: Teardown TCP connection 22418 for outside:10.0.0.51/51069(LOCAL\ipsec-user) to identity:10.0.0.1/443 duration 0:01:08 bytes 1035 TCP Reset-O (ipsec-user)

Jan 19 2014 19:42:59: %ASA-6-106015: Deny TCP (no connection) from 10.0.0.51/51069 to 10.0.0.1/443 flags FIN ACK on interface outside

Current NAT config is

nat (inside,outside) source dynamic any interface

Regards

MAhesh

Message was edited by: mahesh parmar

Jouni Forss · ‎01-19-2014

Hi Mahesh,

It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.

Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.

I would suggest changing the VPN Pool first and then configuring this

object network LAN

subnet 10.0.0.0 255.255.255.0

object network VPN-POOL

subnet

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.

In the future it would be best if you changed your current Dynamic PAT configuration to this

nat (inside,outside) after-auto source dynamic any interface

We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)

- Jouni

View solution in original post

Jouni Forss · ‎01-20-2014

Hi,

You will need NAT0 either way.

For the purpose of configuring NAT0 for your internal LAN you wouldnt necesarily need the "route-lookup" configuration. If you were to manage the ASA through the VPN using the "inside" interface IP address then you would need it (not exactly sure of the reason but this seems to be the case). In this case you would also need the command "management-access inside" command.

The "route-lookup" parameter is meant to tell the ASA to follow the ASA routing table information rather than the information in this NAT configuration. Without the parameter the the traffic would choose the destination interface purely based on the destination interface used in the actual "nat" command.

The "no proxy-arp" setting disables Proxy ARP for this NAT configuration so that the ASA doesnt reply to ARP request made for the MAC address of the NAT IP Address used in the "nat" command. I have not seen the need to add this command in NAT0 configurations. I am not quite sure what device would even send an ARP request for such an IP address in our core network when there is naturally no private IP address range in the "outside" interface of the ASA that would generate these ARP requests.

- Jouni

View solution in original post

Jouni Forss · ‎01-19-2014

Hi Mahesh,

It should work but I generally would not suggest having the same network on the LAN and also configured partially as a VPN Pool network.

Your problem at the moment is simply lacking the NAT0 configuration for the traffic between LAN and VPN Pool.

I would suggest changing the VPN Pool first and then configuring this

object network LAN

subnet 10.0.0.0 255.255.255.0

object network VPN-POOL

subnet

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

We have to use the line number "1" in the above command so that it gets moved to the top since your current Dynamic PAT would otherwise override it.

In the future it would be best if you changed your current Dynamic PAT configuration to this

nat (inside,outside) after-auto source dynamic any interface

We simply add the "after-auto" to this Dynamic PAT configuration so that it gets moved down in priority. The "after-auto" refers to the fact that this NAT will be inserted after Auto NAT (after Section 2). Your current rule is Manual NAT (Sectiom 1). The new rule will be Manual NAT (Section 3)

- Jouni

mahesh18 · ‎01-20-2014

Hi Jouni,

IF i use same IP and VPN pool subnet then should i use NAT0 to make this work?

IF i use NAT config below

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup.

Then i can access the switch connected to ASA via https://10.0.0.2.

Seems your NAT config and above config is pretty same only difference is --no-proxy-arp route-lookup.

Need to know what does no-proxy-arp route-lookup do in this case?

Regards

MAhesh

Jouni Forss · ‎01-20-2014

Hi,

You will need NAT0 either way.

For the purpose of configuring NAT0 for your internal LAN you wouldnt necesarily need the "route-lookup" configuration. If you were to manage the ASA through the VPN using the "inside" interface IP address then you would need it (not exactly sure of the reason but this seems to be the case). In this case you would also need the command "management-access inside" command.

The "route-lookup" parameter is meant to tell the ASA to follow the ASA routing table information rather than the information in this NAT configuration. Without the parameter the the traffic would choose the destination interface purely based on the destination interface used in the actual "nat" command.

The "no proxy-arp" setting disables Proxy ARP for this NAT configuration so that the ASA doesnt reply to ARP request made for the MAC address of the NAT IP Address used in the "nat" command. I have not seen the need to add this command in NAT0 configurations. I am not quite sure what device would even send an ARP request for such an IP address in our core network when there is naturally no private IP address range in the "outside" interface of the ASA that would generate these ARP requests.

- Jouni

mahesh18 · ‎01-20-2014

Hi Jouni,

Will go through this post today to understand all this here.

Best Regards

MAhesh