Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3431
Views
35
Helpful
17
Replies

ASA Can perform 'policy NAT' but VPNs not work

tholmes
Level 1
Level 1

‎01-30-2014 01:36 PM

Hello,

I've got a tough one, so any help would be greatly appreciated.

I'm implementing a new network for hosting customers. Each new customer will have their own public routable subnet.

The ASA5525X firewall needs to have multiple default static routes to the Internet via each public next hop IP address

           

route hostcust01-outside   0.0.0.0 0.0.0.0    195.119.10.14   1

route hostcust02-outside   0.0.0.0 0.0.0.0    195.119.10.22   2    (I've hidden the real IP addresses)

ah the ASA doesn't support policy based routing I hear you say, but it does if these NAT statements are added

object network hostcust01-outside-PAT

host 195.119.10.13

object network hostcust01-outside-PAT

host 195.119.10.21

object network hostcust01-inside

subnet 10.1.201.0 255.255.255.0

object network hostcust02-inside

subnet 10.1.202.0 255.255.255.0

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside

This works very well, packets from 10.1.201.x egress via host01-outside interface , and packets from 10.1.202.X egress using host02-outside interface

It performs a kind of inverse NAT translation, outside,inside, to ensure the correct egress interface is used in the NAT table and overrides any route lookup (I think)

The problem comes when adding a VPN identify NAT

nat (hostcust02-inside,hostcust02-outside) source static host-cust02-inside  host-cust02-inside destination static remote_192.168.101.0_24 remote_192.168.101.0_24 no-proxy-arp route-lookup

This VPN identity NAT is higher in the list than the other after-autos but the ASA doesn't want to use it, instead uses that other NAT

Packet tracer shows this

NGD-HE-FW1# packet-tracer input hostcust02-inside icmp 10.1.202.10 1 8 192.168.101.10 detail

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

Additional Information:

NAT divert to egress interface hostcust02-outside

Untranslate 192.168.101.10/0 to 192.168.101.10/0

(CAN I STOP IT USING THIS NAT EVEN THOUGH ITS THE LOWEST ONE IN THE NAT LIST  ???)

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group hostcust02-inside in interface hostcust02-inside

access-list hostcust02-inside extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379c9ed0, priority=13, domain=permit, deny=false

        hits=3390, user_data=0x7fff2fee9d80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379e64d0, priority=0, domain=inspect-ip-options, deny=true

        hits=3429, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379e5ef0, priority=66, domain=inspect-icmp-error, deny=false

        hits=1557, user_data=0x7fff379b6db0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 5

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff3813f510, priority=13, domain=debug-icmp-trace, deny=false

        hits=1557, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (hostcust02-inside,hostcust02-outside) source static host-cust02-internal-10.1.202.0 host-cust02-internal-10.1.202.0 destination static cust-02-remote01_192.168.101.0_24 cust-02-remote01_192.168.101.0_24 no-proxy-arp route-lookup

Additional Information:

Static translate 10.1.202.10/0 to 195.119.10.13/0                               ........................(PAT USED BUT NOT WANTED FOR VPN)

Forward Flow based lookup yields rule:

in  id=0x7fff388b7230, priority=6, domain=nat, deny=false

        hits=1, user_data=0x7fff38001e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.202.0, mask=255.255.255.0, port=0

        dst ip/id=192.168.101.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=hostcust02-outside

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff37925ce0, priority=6, domain=nat-reverse, deny=false

        hits=12, user_data=0x7fff3841fc00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.202.0, mask=255.255.255.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=hostcust02-outside

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12124, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_dbg_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: hostcust02-inside

input-status: up

input-line-status: up

output-interface: hostcust02-outside    ............  CORRECT INTERFACE USED BUT NO VPN TUNNEL OR EVEN CRYPTO ACL USED !!

output-status: up

output-line-status: up

Action: allow

Any ideas, I didn't design it, I'm only trying to get it to work.

Regards Tony

Labels:
0 Helpful
17 Replies 17

Jouni Forss
VIP Alumni
VIP Alumni
In response to tholmes

‎01-31-2014 10:48 AM

Thanks,

Have not stayed in US or UK other than for a couple of vacation/work trips. Was at the Cisco Live! 2013 London last year.

The thing is, we start to learn English from age 9 or so at third grade so there has been plenty of time to learn and considering all the TV Series/Movies/Games are in English (atleast the good ones ) its pretty inevitable that you will learn some English. Also same thing with my networking studies, all in English. Main problem is that you tend to get to write it more than actually talk it.

- Jouni

0 Helpful

tholmes
Level 1
Level 1
In response to Jouni Forss

‎02-03-2014 01:53 AM

Hi Jouni,

Just a quick update, and a bit of a strange one but I'm getting these results...

Version 8.6.1

Method 1 :

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside-nets

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

These NAT commands work and traffic uses the correct egress depending on source IP

Method 2:

nat (hostcust01-inside,hostcust01-outside) after-auto source dynamic hostcust01-inside-nets hostcust02-outside-PAT destination static ALL ALL

nat (hostcust02-inside,hostcust02-outside) after-auto source dynamic hostcust02-inside-nets hostcust02-outside-PAT destination static ALL ALL

These commands do not work

Upgrade to Version 9.1.1

Once upgraded the opposite to applies, method 1 does NOT work, however, method 2 does

But VPN identity NAT still refuses to work,  whichever IOS is used, so it still can not be deployed in a customer network, the ASA seems to ignore the identity NAT rules even though they are at the top of the NAT list

I'll try to engage TAC

Cheers Tony

0 Helpful

tholmes
Level 1
Level 1
In response to tholmes

‎02-07-2014 03:52 AM

I drew a blank with TAC as they won't open a case for me without a support contract.... to fix the problem in their ASA X series platform :-/

I've worked around the issue by utilising the 2 default contexts and have a dedicated VPN context now (L2L VPN supported in 9.1.1)

So now I've got policy based static nat and L2L VPN working.

Regards Tony

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents