05-27-2014 07:06 AM - edited 03-04-2019 11:02 PM
Hi there,
I stumbled upon your site from a Google search. Basically, i am trying to PAT inside hosts to the internet using the interface IP Address of the ASA, and at the same time exempt two hosts on the same internal subnet utilizing a site-to-site VPN tunnel. Here is my partial config:
object network INSIDE-HOSTS
subnet 192.168.5.0 255.255.255.0
nat (inside,outside) dynamic interface
The nat exemptions for the vpn tunnel are as follows:
nat (inside,outside) source static inside-ip-vpn inside-ip-vpn desti
nation static remote-vpn remote-vpn
The VPN tunnel and exemptions work but the nat to the internet doesn't! All other configurations such as default route and access lists seem ok, so i am thinking nat is the issue.
What could i be missing?
Solved! Go to Solution.
05-28-2014 06:28 AM
Hey Alan,
Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.
In other words, you have:
object-group network DM_INLINE_NETWORK_3 network-object object POSTEL-LIVE network-object object POSTEL-TEST object-group network DM_INLINE_NETWORK_4 network-object object umoja-live network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:
access-list inside_access_in extended permit object-group INSIDE-HOSTS any
For the return traffic to be successful you also need
a) An ACL allowing from anywhere to inside hosts
or
b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.
Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!
JJ
05-27-2014 08:23 AM
Alan, PAT for Internet connectivity doesn't work for any inside hosts, or just the hosts listed in the inside-ip-vpn acl? Also, run packet-tracer for an instance of a non vpn host trying to reach a public IP address and an instance of vpn host trying to reach the Internet and post the results.
05-28-2014 12:12 AM
Hi William,
Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.
I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?
For the record, i am using software version greater than 8.3
Thanks
05-27-2014 08:34 AM
post the ACL for inside-ip-vpn and remote-vpn remote-vpn. Clear conn and clear xlates, do a packet tracert and posts the results...
05-28-2014 12:14 AM
Hi jponcedo,
Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.
I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?
For the record, i am using software version greater than 8.3
Thanks
05-28-2014 06:28 AM
Hey Alan,
Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.
In other words, you have:
object-group network DM_INLINE_NETWORK_3 network-object object POSTEL-LIVE network-object object POSTEL-TEST object-group network DM_INLINE_NETWORK_4 network-object object umoja-live network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:
access-list inside_access_in extended permit object-group INSIDE-HOSTS any
For the return traffic to be successful you also need
a) An ACL allowing from anywhere to inside hosts
or
b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.
Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!
JJ
05-28-2014 10:53 PM
OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.
05-28-2014 09:33 AM
I agree with jponcedo, the input access list check comes before the NAT translation in the order of operations. Modify it and then test and run another packet-tracer.
05-28-2014 10:52 PM
OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide