Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
2
Helpful
9
Replies

Can ping ASA inside interface but not inside network

Go to solution
mwaltner12
Level 1
Level 1

‎05-09-2024 07:59 AM - edited ‎05-09-2024 08:13 AM

So something weird was happening when we were setting up a VPN connection yesterday (tunnel is up now and passing traffic). Here is a diagram of our topology:

(10.26.0.0/16)--ASA-1-------------ASA-2--(192.168.1.0)

So our tunnel didn't come up right away, but while troubleshooting I found that from inside network on ASA 1 I could pass traffic just fine to the ASA 2 inside interface (192.168.1.1), but I could not get traffic to any other host on that network. During this troubleshooting, there was not a no-nat statement for the network 192.168.1.0/24 which explains why I could not get to any hosts, but how was I able to reach the inside interface which is also on that network?

I was not able to find any documentation or other peoples experiences explaining this. Is it because the traffic to the interface is still local in the ASA and not inbound to the inside interface?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mwaltner12

‎05-09-2024 08:59 AM

@mwaltner12 do you perhaps have "management-access <interfacename>" configured? that would allow icmp (as well as mgmt traffic) over the VPN tunnel to the ASA's far interface.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mwaltner12

‎05-09-2024 09:01 AM

Any NAT have boundary' this boundary is build from source to destiantion interface nameif

Dynamic NAT command include two nameif Inside and Outside 

and here is trick

The asa interface itself is use  identity as nameif not Inside 

And this make it traffic bypass NAT automatically (no need NAT)

The traffic from inside interface will be mark as coming from Inside nameif and hence hit dyanmic NAT and need NO-NAT to bypass it

MHM

View solution in original post

0 Helpful
9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎05-09-2024 08:04 AM

Share the config for both asa

MHM

0 Helpful

Go to solution
mwaltner12
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2024 08:12 AM

I can, but I forgot to specify that the tunnel is up and passing traffic just fine now, I just thought that was a weird behavior. Do you still want the configs?

Go to solution
MHM Cisco World
VIP
VIP
In response to mwaltner12

‎05-09-2024 08:18 AM

If it work at end, then no need to share config

You meantion tunnel and no-nat,

This confuse me 

VPN is policy based or router based VPN?

MHM

0 Helpful

Go to solution
mwaltner12
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2024 08:29 AM

It is policy based.

So I could see that there was a SA between the two ASA's, but I could only ping ASA inside interface on the remote network (192.168.1.1) and not the rest of the hosts on the network. After adding this statement:

nat (inside,outside) source static NETWORK_OBJ_192.168.2.1_24 NETWORK_OBJ_192.168.1.0_24 destination static MAIN-SITE-PO MAIN-SITE-PO no-proxy-arp route-lookup

I could connect to every host just fine.

Go to solution
MHM Cisco World
VIP
VIP
In response to mwaltner12

‎05-09-2024 08:45 AM

why we need No-NAT 
let see the traffic flow of ping from remote to local

1-traffic from Remote LAN to local LAN

This traffic is decrypt and send to local LAN

2- traffic return from local LAN to remote LAN

3- usually we use dyanimc NAT for local (inside) to internet' this dynamic NAT nating the return traffic and hence it not hit the ACL abd dont encrypt

Here come the no-NAT 

We config no-NAT to make retrun traffic bypass dynamic and keep it original IP hit the ACL and encrypt

So this normal behave of ASA policy based VPN

MHM

0 Helpful

Go to solution
mwaltner12
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2024 08:54 AM

I do understand that, but why was I able to talk to 192.168.1.1 without the no-NAT config?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mwaltner12

‎05-09-2024 08:59 AM

@mwaltner12 do you perhaps have "management-access <interfacename>" configured? that would allow icmp (as well as mgmt traffic) over the VPN tunnel to the ASA's far interface.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to mwaltner12

‎05-09-2024 09:01 AM

Any NAT have boundary' this boundary is build from source to destiantion interface nameif

Dynamic NAT command include two nameif Inside and Outside 

and here is trick

The asa interface itself is use  identity as nameif not Inside 

And this make it traffic bypass NAT automatically (no need NAT)

The traffic from inside interface will be mark as coming from Inside nameif and hence hit dyanmic NAT and need NO-NAT to bypass it

MHM

0 Helpful

Go to solution
mwaltner12
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2024 09:05 AM

I figured there it was bypassing it somehow, I just couldn't find anything that said how. Thank you @MHM Cisco World and @Rob Ingram 

0 Helpful
Customers Also Viewed These Support Documents