Hi

I have applied the no proxy arp option, it does not let me apply the route lookup, gets the following error "ERROR: Option route-lookup is only allowed for static identity case"

Below is the output of the packet trace

ciscoasa(config)# packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.1$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd59e2c50, priority=1, domain=permit, deny=false
        hits=109880, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc  outside

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_Subnet
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.57.254.10/0 to X.X.X.X/14998
 Forward Flow based lookup yields rule:
 in  id=0x7fffd59f90d0, priority=6, domain=nat, deny=false
        hits=33352, user_data=0x7fffd5ba4270, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
        hits=36976, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
        hits=33358, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
        hits=1, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34449, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hello,

Please share with me the NAT rule you are trying to apply to I can review it.

Also, share with me the output from "show run NAT"; from the packet-tracer, I can see the VPN traffic is not hitting the NAT-0 statement yet.

The traffic is hitting this NAT rule  "nat (inside,outside) dynamic interface"; which is the default rule for going out to the internet (PAT).

Try placing this statement at the very top of your NAT rules:

nat (inside,outside) 1 source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup

Please note that source and destination are static. Make sure you are applying the right statement. And note this part of the statement:

source static SITEA SITEA (You are translating SITEA to itself in order to make the NAT-0) On the original statement you are trying to translate SITEA to SITEB which is incorrect and therefore will give you the error "Option route-lookup is only allowed for static identity case"

Hi

I am trying to apply the following NAT, its actually meant to be site A to site B

nat (inside,outside)1 source static SITEA SITEB destination static SITEA SITEB no-proxy-arp

The rule is meant to ensure the VPN traffic is not natted

Heres the poutput of show run NAT

nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp
!
object network Mgmt_Server
 nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
 nat (inside,outside) static interface service tcp https https
object network Inside_Subnet
 nat (inside,outside) dynamic interface

Please apply the following configuration; Just copy and paste this configuration and run the packet-tracer again and the tunnel should come up.

no nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp

nat (inside,outside) 1 source static SITEA SITEA destination static SITEB SITEB no-proxy-arp route-lookup

packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.10 detailed.

Hi

Ive chaged the nat rule and this time it accepted the route-lookup option, however it still seems to hit the dynamic nat when doing the packet trace

ciscoasa(config)# packet-tracer input inside icmp 10.57.254.10 8 0 10.254.10.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc  outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside_Subnet
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.57.254.10/0 to X.X.X.X/23408
 Forward Flow based lookup yields rule:
 in  id=0x7fffd59f90d0, priority=6, domain=nat, deny=false
        hits=33423, user_data=0x7fffd5ba4270, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
        hits=37051, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
        hits=33429, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
        hits=4, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34524, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Please send me the actual "show run nat" after the configuration change. Remember to delete the old NAT applying this line:

no nat (inside,outside) source static SITEA SITEB destination static SITEA SITEB no-proxy-arp

Regards,

Hi

Yes I have deleted the old nat, heres the output

ciscoasa(config)# sh run nat
nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
!
object network Mgmt_Server
 nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
 nat (inside,outside) static interface service tcp https https
object network Inside_Subnet
 nat (inside,outside) dynamic interface

ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static SiteA SiteA   destination static SiteB SiteB no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Mgmt_Server interface   service tcp 3389 3389
    translate_hits = 0, untranslate_hits = 679
2 (inside) to (outside) source static Prime_1 interface   service tcp https https
    translate_hits = 0, untranslate_hits = 281
3 (inside) to (outside) source dynamic Inside_Subnet interface
    translate_hits = 33438, untranslate_hits = 62

Hello,

I think you might have an issue with your network objects, let's configure the NAT and a new set of objects from scratch.

object network SITEA_NAT
 subnet 10.57.254.0 255.255.255.0

object network SITEB_NAT
 subnet 10.254.10.0 255.255.255.0

no nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup

nat (inside,outside) source static SITEA_NAT SITEA_NAT destination static SITEB_NAT SITEB_NAT no-proxy-arp route-lookup

And replace the VPN ACL with

access-list VPN_TRAFFIC_ALLOWED extended permit ip object SITEA_NAT object SITEB_NAT

This should solve your issue, otherwise you could attach your running configuration.

Hi

Im not sure but I believe this could be the issue. I have 2 objects (mgmt server and Prime) part of the internal 10.57.254.0 subnet. The objects are configured for natting to the outside interface on different port numbers, this was initially to allow myself access to the servers from the outside

object network Mgmt_Server
 nat (inside,outside) static interface service tcp 3389 3389
object network Prime_1
 nat (inside,outside) static interface service tcp https https

Afterward I configured the VPN to site B and now I want these servers accessible from Site B. So I am now configuring a NO-NAT for the VPN traffic which includes those servers. The site A object group contains the subnet with the above servers.

Am I right in assuming I need to clear the object NATS for the servers and just leave the NO-NAT for the VPN

Thanks

So after clearing the nats for those servers I now get the following output from the packet trace. I have noticed the route lookup points to my internet gateway. Am I meant to have a route to the next hop of Site B for the siteB subnet

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop X.X.X.X using egress ifc  outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SiteA SitteA destination static SiteB SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.0.10/0 to 10.254.0.10/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static ANS ANS destination static OPUS OPUS no-proxy-arp route-lookup
Additional Information:
Static translate 10.57.254.1/0 to 10.57.254.1/0
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b95710, priority=6, domain=nat, deny=false
        hits=2, user_data=0x7fffd5a016a0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.254.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd52acfd0, priority=0, domain=nat-per-session, deny=true
        hits=37537, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9f080, priority=0, domain=inspect-ip-options, deny=true
        hits=33857, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffd5b9e930, priority=66, domain=inspect-icmp-error, deny=false
        hits=13, user_data=0x7fffd59dae30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fffd5cef860, priority=6, domain=nat-reverse, deny=false
        hits=3, user_data=0x7fffd51375e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.57.254.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=10.254.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 34974, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

According to this packer-tracer the NAT-0 is now working. Now it seems the traffic is not hitting the crypto process. Please send me these outputs:

1. show run crypto

2. show access-list VPN_TRAFFIC_ALLOWED

Regards,

Hi

Here are the outputs

ciscoasa# sh run crypto
crypto ipsec ikev1 transform-set TS-ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set TS-ESP-AES-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

ciscoasa# SH access-list VPN_TRAFFIC_ALLOWED
access-list VPN_TRAFFIC_ALLOWED; 14 elements; name hash: 0x6e81142a
access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip object-group SiteA object-group WIRELESS (hitcnt=0) 0xaf3f60c9
  access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.50.240.0 255.255.254.0 (hitcnt=0) 0x738bf07a
  access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.80.240.0 255.255.255.0 (hitcnt=0) 0x784a1ac9
  access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 10.70.220.0 255.255.254.0 (hitcnt=0) 0xcfc0efc0
  access-list VPN_TRAFFIC_ALLOWED line 1 extended deny ip 10.57.254.0 255.255.255.0 172.27.172.0 255.255.255.0 (hitcnt=0) 0xf3b14c38
access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip object-group SiteA object-group SiteB (hitcnt=0) 0x7044c160
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.254.0.0 255.255.255.0 (hitcnt=0) 0x00f8f078
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.255.0.0 255.255.255.0 (hitcnt=0) 0xea91957d
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.19.0.0 255.255.0.0 (hitcnt=0) 0xe0dccd0c
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0xa6eb0555
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.50.0.0 255.255.0.0 (hitcnt=0) 0x5487a1df
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.55.0.0 255.255.0.0 (hitcnt=0) 0x6c7514cd
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.60.0.0 255.255.0.0 (hitcnt=0) 0x909a6bf0
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.70.0.0 255.255.0.0 (hitcnt=0) 0xcd5ea52b
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.80.0.0 255.255.0.0 (hitcnt=0) 0x1c0a83f3
  access-list VPN_TRAFFIC_ALLOWED line 2 extended permit ip 10.57.254.0 255.255.255.0 10.90.0.0 255.255.0.0 (hitcnt=0) 0x22915b53

By the way, although I have mentioned just the one subnet for simplicity, there are actually a few different subnets at site B

Hello

Were you able to resolve the issue yet?