05-03-2011 09:54 AM
Hi all, I have a problem with my hairpinning setup on ASA 8.4.1
I'm using the subnet 10.0.0.0/16 for my network, and I used 10.0.1.0 for VPN.
I have the same security-level permit intra-interface.
Initially, I made a pool for the whole inside subnet so everything should be nated:
object network inside_dmz
subnet 10.0.0.0 255.255.0.0
nat (any,outside) dynamic interface
but my VPN users are not nated.
I have then created that rule just to be sure:
object network vpn_net
subnet 10.0.1.0 255.255.255.0
nat (outside,outside) dynamic interface
but that's not working either.
I turned on debug ip icmp 200 so that we normally see the nat translation in real time (i'm pinging 8.8.8.8).
This is what happen from VPN Host:
*ICMP echo request from outside:10.0.1.1 to outside:8.8.8.8 ID=1 seq=39 len=32
this is from inside:
ICMP echo request from inside:10.0.0.2 to outside:209.85.146.99 ID=1 seq=5 len=32
ICMP echo request translating inside:10.0.0.2/1 to outside:192.168.0.253/43825
ICMP echo reply from outside:209.85.146.99 to inside:192.168.0.253 ID=43825 seq=5 len=32
ICMP echo reply untranslating outside:192.168.0.253/43825 to inside:10.0.0.2/1
I also made a real time capture:
asa(config)# capture CAP1 interface outside real-time match icmp any any
ICMP echo request from outside:10.0.1.1 to outside:8.8.8.8 ID=1 seq=47 len=32
1: 18:51:20.462683 802.1Q vlan#1 P0 10.0.1.1 > 8.8.8.8: icmp: echo request
packets are leaving the ASA without being nated.
my whole nat rules:
asa(config)# sh nat detail
Manual NAT Policies (Section 1)
1 (any) to (outside) source static any any destination static RVPN RVPN
translate_hits = 5, untranslate_hits = 3473
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Destination - Origin: 10.0.1.0/24, Translated: 10.0.1.0/24
2 (outside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.0.253/24
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static DesktopPC_Nat interface service udp 16810 16810
translate_hits = 299148, untranslate_hits = 29558
Source - Origin: 10.0.0.2/32, Translated: 192.168.0.253/24
Service - Protocol: udp Real: 16810 Mapped: 16810
2 (dmz) to (outside) source static DMZ_Server interface service udp 39527 39527
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.0.88.5/32, Translated: 192.168.0.253/24
Service - Protocol: udp Real: 39527 Mapped: 39527
3 (dmz) to (outside) source static DMZ_Server_rdp interface service tcp 3389 3390
translate_hits = 0, untranslate_hits = 9
Source - Origin: 10.0.88.5/32, Translated: 192.168.0.253/24
Service - Protocol: tcp Real: 3389 Mapped: 3390
4 (outside) to (outside) source dynamic vpn_net interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.0.1.0/24, Translated: 192.168.0.253/24
5 (any) to (outside) source dynamic inside_dmz interface
translate_hits = 852080, untranslate_hits = 14233
Source - Origin: 10.0.0.0/16, Translated: 192.168.0.253/24
Don't know if I missed something here, but I'll appreciate your help
05-03-2011 10:02 AM
Oh I just found what I missed, my nat exemption rule was exempting vpn traffic to be natted:
nat (any,outside) source static any any destination static RVPN RVPN
replaced by
nat (any,outside) source static inside_dmz inside_dmz destination static RVPN RVPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide