Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
15
Helpful
5
Replies

May you please explain the logic & syntax of this ASA config snippet?

Go to solution
jmaxwellUSAF
VIP
VIP

‎01-05-2023 08:58 AM

Hello.
In the below config snippet...
-----

object network VPN-Pool
  nat (Outside,Outside) dynamic interface
object network VENDOR_1
  host 1.1.1.1
object-group network VPN_VENDORS
  network-object object VENDOR_1
access-list Split_Tunnel extended permit ip host 1.1.1.1 object VPN-Pool
nat (Inside,Outside) source static VPN_VENDORS VPN_VENDORS destination static VPN-Pool VPN-Pool

...may you please explain? ...

1. why is needed a seemingly "outside to outside" NAT?

2. why is needed "object" in "network-object object VENDOR1"

3. overall logic, and why 2x mentions within "VPN_VENDORS VPN_VENDORS destination static VPN-Pool VPN-Pool"

Thank you!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-05-2023 09:25 AM - edited ‎01-05-2023 09:50 AM

@jmaxwellUSAF 

1. Used in full tunnel anyconnect RAVPN scenarios, when the RAVPN users need to access the internet. The source interface of anyconnect user is the "outside" interface, so anyconnect traffic is tunneled to the ASA and hairpins back out the "outside" interface to access the internet.

2. object-group VPN_VENDORS is referencing an object called VENDOR1

3. This is a NAT exemption rule, traffic between VPN_VENDORS and VPN-Pool should not be translated.

"nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST"

Without a NAT exemption rule, traffic between those networks would usually be unintentially translated by another NAT rule.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎01-05-2023 11:01 AM - edited ‎01-05-2023 11:17 AM

@jmaxwellUSAF If just the following NAT rule exists, traffic from inside to outside is translated behind the outside interface.

object network VPN_VENDORS
 nat (inside,outside) dynamic interface

If you have an anyconnect VPN tunnelling all traffic back to the ASA and those users need internet access, then you need a specific NAT rule from outside to outside (as you have). Traffic won't match the rule above, as the source interface is different. You only need this NAT rule if you are using full tunnel and want the anyconnect users to access the internet.

object network VPN-Pool
 nat (outside,outside) dynamic interface

Traffic to/from VPN_VENDORS to VPN-Pool would match the first NAT rule, which would unintentially be translated behind the outside interface (this is generally undesirable). This is where you need a NAT Exemption rule.

nat (inside,outside) source static VPN_VENDORS VPN_VENDORS destination static VPN-Pool VPN-Pool"

...this ensures the defined traffic (to/from VPN_VENDORS and VPN-Pool) is not translated behind the outside interface (the first NAT rule).

 

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-05-2023 09:25 AM - edited ‎01-05-2023 09:50 AM

@jmaxwellUSAF 

1. Used in full tunnel anyconnect RAVPN scenarios, when the RAVPN users need to access the internet. The source interface of anyconnect user is the "outside" interface, so anyconnect traffic is tunneled to the ASA and hairpins back out the "outside" interface to access the internet.

2. object-group VPN_VENDORS is referencing an object called VENDOR1

3. This is a NAT exemption rule, traffic between VPN_VENDORS and VPN-Pool should not be translated.

"nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST"

Without a NAT exemption rule, traffic between those networks would usually be unintentially translated by another NAT rule.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎01-05-2023 10:30 AM

"3. This is a NAT exemption rule, traffic between VPN_VENDORS and VPN-Pool should not be translated.
"nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST"
Without a NAT exemption rule, traffic between those networks would usually be unintentially translated by another NAT rule."

-Does this imply that besides the statement...
"nat (Inside,Outside) source static VPN_VENDORS VPN_VENDORS destination static VPN-Pool VPN-Pool"
...there MUST exist a primary NAT statement...
"nat (inside,outside) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST" ?

If so, can you please show, using the object examples above, the code (syntax) for this primary NAT statement?

Thank you Rob!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎01-05-2023 10:38 AM - edited ‎01-05-2023 10:38 AM

@jmaxwellUSAF if the NAT rule below existed (or something similar that encompasses the VPN_VENDORS network).

object network VPN_VENDORS
 nat (inside,outside) dynamic interface

.....all traffic from VPN_VENDORS on the inside interface destined to the outside interface would be translated behind the outside interface IP address.

Hence why you need the NAT exemption rule (your example), as it would have a higher priority, so traffic matching it (between VPN_VENDORS and VPN-Pool) would be translated to itself (not translated at all). 

 

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎01-05-2023 10:48 AM

Thank you for your reply.

I don't understand why we need more than 1 NAT statement at all. It seems logical that the anyconnect users could simply follow 1 NAT rule (like in routers)= "The VPN-POOL always NATs to the outside public IP address."

How many NATs are required? When is a new NAT required?

Thank you Rob!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎01-05-2023 11:01 AM - edited ‎01-05-2023 11:17 AM

@jmaxwellUSAF If just the following NAT rule exists, traffic from inside to outside is translated behind the outside interface.

object network VPN_VENDORS
 nat (inside,outside) dynamic interface

If you have an anyconnect VPN tunnelling all traffic back to the ASA and those users need internet access, then you need a specific NAT rule from outside to outside (as you have). Traffic won't match the rule above, as the source interface is different. You only need this NAT rule if you are using full tunnel and want the anyconnect users to access the internet.

object network VPN-Pool
 nat (outside,outside) dynamic interface

Traffic to/from VPN_VENDORS to VPN-Pool would match the first NAT rule, which would unintentially be translated behind the outside interface (this is generally undesirable). This is where you need a NAT Exemption rule.

nat (inside,outside) source static VPN_VENDORS VPN_VENDORS destination static VPN-Pool VPN-Pool"

...this ensures the defined traffic (to/from VPN_VENDORS and VPN-Pool) is not translated behind the outside interface (the first NAT rule).

 

Customers Also Viewed These Support Documents