Solved: NAT rule order CISCO ASDM

jelenb · ‎01-01-2022

I have configured my Cisco ASA to translate internal addresses to external (WAN) interface. Everything works right, internet connection works as expected.

I have created site to site tunnel between ASA and AWS. I was able to ping resources on AWS from hosts behind ASA but not other way around. I have finally discovered that the problem is with NAT Rules.

Here is how I have this set up:

If I disable the last rule (#3), I am able to access internal hosts form AWS but I am not able to access internet.

How do I set this up so when I communicate to and from AWS to inside addresses are not translated, but if I initiate communication from inside to everywhere else but AWS, ASA translates everything to outside (WAN)

obj-amz (VPC in AWS 196.168.0.0)
obj-SrcNet (Subnet INSIDE - behind ASA 10.0.1.0)

Richard Burts · ‎01-01-2022

This is usually accomplished by configuring a static NAT which translates the inside and outside addresses to themselves, which essentially exempts that traffic from being translated by your rule #3.

HTH

Rick

View solution in original post

Richard Burts · ‎01-01-2022

This is usually accomplished by configuring a static NAT which translates the inside and outside addresses to themselves, which essentially exempts that traffic from being translated by your rule #3.

HTH

Rick

jelenb · ‎01-01-2022

Thank you Richard. I have changed rule number 3 (source NAT type) from Dynamic PAT to Static, and it worked as a charm.

Can you please explain little more on how it works? I really would like understand this concept. Maybe you know some articles or yt tutorials that can be helpful.

I don't understand why rules number 1 and 2 were not overriding rule number 3

Georg Pauwen · ‎01-01-2022

Hello,

have a look at the site linked below, it has a pretty good explanation of how NAT exemptions work...

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/#asa-identity-nat

jelenb · ‎01-02-2022

This is awesome. Thank you Georg!

jelenb · ‎01-02-2022

Thank you again. I fixed it by following steps from recommended website. I needed to setup NAT exemption rule that does not translate addresses over the tunnel

Richard Burts · ‎01-02-2022

I am a bit confused. In a previous response you said that you changed rule 3 and it worked. In the most recent post what I see as rule 2 looks to be the same as original rule 3, not a changed rule.

[edit] Apparently while I was typing my response the post was changed from one saying that there was still a problem to saying that it is fixed. Glad to know that it is fixed.

HTH

Rick

jelenb · ‎01-02-2022

That is correct. I was as confused as you are. Yesterday after I changed rule number 3 to static NAT every worked great. Therefore I got rid of some rules that were not needed and everything was still working out as expected.

This was not the case anymore this morning... I have no idea why but I followed articles suggested by George, I have set up the exemption rule and now everything seems to be working again.