Wrong NAT consumes all the traffic destined to the default gateway

AbteenZ · ‎12-27-2018

Hi,

I was playing around with ASA Site to Site VPN and NAT rules and created this rule for the traffice from DR_172.27.0.0 to go over the IPsec Tunnel to get to the HQ_192.168.0.0

Manual NAT Policies (Section 1)
1 (any) to (any) source static DR_172.27.0.0_16 DR_172.27.0.0_16 destination static HQ_192.168.0.0_16 HQ_192.168.0.0_16
translate_hits = 127129, untranslate_hits = 283609

> show running-config nat
nat (any,any) source static DR_172.27.0.0_16 DR_172.27.0.0_16 destination static HQ_192.168.0.0_16 HQ_192.168.0.0_16

Everything was fine on my linux devices but I realized that we have connectivity issues on our windows VMs.

Tracing the problem it revealed that the ARP table of the windows machines shows the mac address of the ASA's interface for the default gateway instead of the SVI of our core switch which is the default gateway of those machines.

How is this possible? I mean how a NAT rule can affect layer two connectivity like that by drawing all traffic toward itself instead of the supposedly default gateway?

Thanks,

Abheesh Kumar · ‎12-28-2018

Hi,
Please share the config, anyway specify the nat source and destination instead of any any.

HTH
Abheesh

Marius Gunnerud · ‎12-28-2018

This is odd behavior. Perhaps gratuitous ARP is messing things up. try adding the key-word no-proxy-arp to the end of your NAT statement. For example:

nat (any,any) source static DR_172.27.0.0_16 DR_172.27.0.0_16 destination static HQ_192.168.0.0_16 HQ_192.168.0.0_16 no-proxy-arp

Also, as Abheesh has mentioned be more specific with regard to the source and destination interface configuration for NAT.

--
Please remember to select a correct answer and rate helpful posts