11-19-2013 12:16 PM
I'm trying to configure ASA for the specific scenario.
ASA5545X, IOS 8.6(1)2, single contest, routed mode.
interface GigabitEthernet0/0
description Outside interface
nameif Outside
security-level 0
ip address 207.X.X.X 255.255.255.0
interface GigabitEthernet0/2
nameif WAN-DMZ
security-level 50
ip address 192.168.8.81 255.255.255.224
object network remote.172.21.198.0
subnet 172.21.198.0 255.255.255.0
object network Destination.test
subnet Y.Y.Y.0 255.255.255.0
description test
route Outside 0.0.0.0 0.0.0.0 207.X.X.1 1
route WAN-DMZ 0.0.0.0 0.0.0.0 192.168.8.65 3 (I realize this route is not in the routing table and can be omited)
nat (Outside,WAN-DMZ) source static remote.172.21.198.0 remote.172.21.198.0 destination static Destination.test Destination.test no-proxy-arp
There is a configuration for Lan-to-Lan ikev1 VPN. No NAT, vpn filter applied.
Connection comes in on Outside interface, from the dynamic peer. Tunnels are formed. Traffic from remote site, 172.21.198.0 can reach any explicitly defined and routed network inside.
The goal is to route all traffic from remote site (172.21.198.0 decrypted) out of WAN-DMZ interface.
As there is no PBR on ASA platform, identity NAT has the loophole, accordning to Cisco documnetation.
(Please refer to http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html
"•(Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
•(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the "Routing NAT Packets" section for more information.
•If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead. See the "Routing NAT Packets" section for more information."
Please also refer to "Cisco ASA 5500 Series Configuration Guide using the CLI 8.4"
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1095480
Egress Interface Selection Process
The selection process follows these steps:
1. If a destination IP translating XLATE already exists, the egress interface for the packet is determined
from the XLATE table, but not from the routing table.
2. If a destination IP translating XLATE does not exist, but a matching static translation exists, then
the egress interface is determined from the static route and an XLATE is created, and the routing
table is not used.
3. If a destination IP translating XLATE does not exist and no matching static translation exists, the
packet is not destination IP translated. The ASA processes this packet by looking up the route to
select the egress interface, then source IP translation is performed (if necessary).
For regular dynamic outbound NAT, initial outgoing packets are routed using the route table and
then creating the XLATE. Incoming return packets are forwarded using existing XLATE only. For
static NAT, destination translated incoming packets are always forwarded using existing XLATE or
static translation rules.
So the XLATE is in place:
ASA# sh xlate
1 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from Outside:172.21.198.0/24 to WAN-DMZ:172.21.198.0/24
flags sI idle 1:24:49 timeout 0:00:00
But the XLATE never gets hit (see error message in the log below)
ASA# sh nat int Outside detail
Manual NAT Policies (Section 1)
1 (Outside) to (WAN-DMZ) source static remote.172.21.198.0 remote.172.21.198.0 destination static Lenta Lenta no-proxy-arp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.21.198.0/24, Translated: 172.21.198.0/24
Destination - Origin: 81.19.85.0/24, Translated: 81.19.85.0/24
The Egress interface does not change to WAN-DMZ. The following error message can be seen in LOGs:
6 Nov 19 2013 14:42:14 302014 172.21.198.22 2934 81.19.85.87 80 Teardown TCP connection 15403 for Outside:172.21.198.22/2934 to Outside:81.19.85.87/80 duration 0:00:00 bytes 0 Flow is a loopback
Intra-interface communication should not be on, as far as I understand.
What am I missing in this scenario?
Is there any other workaround?
11-19-2013 12:54 PM
Hi,
The egress interface selection has been a bit of an headache for me at some points and a source of confusion. I have read the exact same things you have mentioned in your post about the software level after which the behaviour of the ASA should change.
However, we for example have a couple of ASAs running 8.4(2) that still dont act as the Cisco documentation states which I find very dissapointing.
If there is no problems with the configurations (as it seems the NAT configuration is at the very top) you probably need to move to 9.0(x) or 9.1(x) software where I have found that the NAT works as is described in the documentation. Most of my tests are done on original ASA series so they dont support the software you are using. (Its the starting software for ASA5500-X Series) I use 8.4(5) and upwards for my tests
If there would be no errors in the configuration then I would say the problem might be on the software level even though the documentation indicates that it should work in your software. Then again as I said already, the documentation has been proven wrong by myself once already.
I was wondering if we could get any output with "packet-tracer" but the problem might be that the traffic is supposed to be entering from a L2L VPN connection.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide