NAT exemption not working

Bogdan Nita · ‎06-12-2013

Hello,

I've configured a site to site vpn, but I seem to have some problems configuring nat exemption.

I've configured nat exemption but ,I also have a static nat for that ip.

From what I can figure out the ip is still translated using static nat.

Shouldn't nat 0 exclude all other nat ?

NAT configuration:

access-list NAT_ZERO_inside line 1 extended permit ip host 192.168.1.2 192.168.0.0 255.255.0.0

nat (inside) 0 access-list NAT_ZERO_inside

static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255

Crypto acl:

access-list encrypt_acl extended permit ip host 192.168.1.2 192.168.51.2 255.255.255.248

Packet tracer:

ciscoasa# packet-tracer input inside tcp 192.168.1.2 1234 192.168.51.3 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.51.2 255.255.255.248 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_ACL in interface inside

access-list inside_ACL extended permit tcp host 192.168.1.2 any

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip inside host 192.168.1.2 outside 192.168.0.0 255.255.0.0

NAT exempt

translate_hits = 4, untranslate_hits = 0

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255

match ip inside host 192.168.1.2 outside any

static translation to <public_ip>

translate_hits = 91922501, untranslate_hits = 9551831

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) <public_ip> 192.168.1.2 netmask 255.255.255.255

match ip inside host 192.168.1.2 outside any

static translation to <public_ip>

translate_hits = 91922503, untranslate_hits = 9551831

Additional Information:

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss · ‎06-12-2013

Hi,

The NAT0 configuration overrides any Static NAT configuration.

Even though you see the Static NAT in the output of the "packet-tracer" it doesnt mean that it gets applied. If it was you would see the actual translation in the field "Additional Information"

The more likely reason seems to be that your L2L VPN configuratin isnt matching between your site and the remote site.

Though while using the "packet-tracer" to test connections applying to a L2L VPN you will pretty much always issue the command twice since the first "packet-tracer" command will always fail with the VPN Phase drop as the L2L VPN is just beginnin the negotiation.

So can you issue the command twice and copy/paste the second output here. If its different from the above that is.

If the VPN Phase still doesnt go through that means that there is problem with the VPN parameters for the connection.

And thats a totally different troubleshooting scenario again.

- Jouni

Bogdan Nita · ‎06-12-2013

Thank you Jouni !

I did now about the "Additional Information" field.

I did a "debug crypto isakmp" and it is a L2L VPN.

Jun 12 13:50:58 [IKEv1]: Group = , IP =, Removing peer from correlator table failed, no match!

Jun 12 13:50:58 [IKEv1]: Group = , IP =, Session is being torn down. Reason: User Requested

I guess crypto acl is not mirrored on the other side.

Confirmation may take a awhile , because I don't have access to the other side.

Regards,

Bogdan