Solved: NAT exemption question

Colin Higgins · ‎05-20-2016

I have an ASA 5545X running 9.6(1) code, and I had a question involving NAT exemptions for Anyconnect client VPNs.

When I originally configured the Anyconnect VPN, I did the usual steps: created a local client pool, authentication, client software images, and NAT exemptions using the new syntax. Example

nat (inside,outside) source static PROD-NETWORKS PROD-NETWORKS destination static VPN-CLIENT-POOL VPN-CLIENT-POOL no-proxy-arp route-lookup

I also have an ACL of the VPN clients.

Then I added a network network into the ACL, added a route to the network from the ASA, but forgot to put that network into the above group (PROD-NETWORKS). In other words, I forgot to make a nat exemption for that new network.

But the clients were still able to connect to the new network without the exemption.

Has something changed? Is this no longer required? How is this even working?

David Castro F. · ‎05-29-2016

Hi Colin,

Well usually a NAT exemption is required, on 9.X code introduces the the per-session PAT and multi-session PAT feature, the Per-session feature is enabled by default and is allowed for a better scalability this feature also does not have a Timeout what this means is that you can have more conns (PAT translations over one IP address) than multi-session, now getting back to the initial query, let´s remember that a dynamic NAT is not bidirectional, so you are coming from the VPN client directly to the client IP, and it is allowed. The question is ( is there an object NAT configured for internet that should be matched?), at which line # is the NAT exemption at? what happens if you delete the NAT exemption, or place it as line 1?

Because you are clarifying that the NAT exemption is still being matched, so it seems that somehow is required, though if you see it from the perspective that the dynamic NAT is unidirectional for inside hosts, and the existing flow seems to be: VPN user goes to the ASA and it is allowed since it is a VPN traffic and the "Sysopt connection permit-vpn" allows the traffic and then there is not NAT matched (right here it should matched the NAT exempt, if it doesn't, it is not matching any other NAT for the "outside host") then the traffic just keeps going to the internal host (Session Management Path), afterwards the response should match this flow through the (Fast Path flow), obviously the packet is the encapsulated and encrypted and the other way around as well.

Keep me posted!

Please proceed to rate and mark as correct the helpful post!

David Castro,

View solution in original post

Aditya Ganjoo · ‎05-20-2016

Hi Colin,

What was the previous ASA version you were using ?

On newer ASA codes post 8.2 there is no concept of NAT control.

So it should work.

You can use a packet tracer to confirm if it is taking a NAT statement or not.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Colin Higgins · ‎05-20-2016

Previous code version was 9.1 -I then upgraded to the current.

The documentation I have seen seem to suggest we need NAT exemptions as before, but this is working without any issues, so I am wondering if the new code is intelligent enough to know that traffic going to the VPN pool should not be translated.

David Castro F. · ‎05-21-2016

Hello Colin,

If you dont set up the NAT exemption statements, and run a packet tracer on the ASA from internal IPs to the AnyConnect are those hitting any object NAT, or static NAT?, could you please attach the config or the specific config on this and the packet tracer?, Now most of the traffic should come from the AnyConnect users so those should be hitting either the NONAT or any other NAT statement, if dont it simply goes to the destination without the necessity of a NAT statement, as Aditya said NAT control is not used anymore, but please elaborate a little bit more so we can better understand your deployment, so far I have used the same code and it needs a NAT exemption only when the sources are translated when going out,

Please proceed to rate and mark as correct the helpful post!

David Castro,

Colin Higgins · ‎05-25-2016

David: I tested this by adding a new internal host to the VPN access list and then connecting to it from a Anyconnect VPN session.

Looks like the ASA doesn't need the NAT exemption, and instead says "per-session" in the NAT phase. So an example below is from the internal host 10.101.8.251 to a client IP in the VPN pool 192.168.110.10

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop <Internet Router IP> using egress ifc outside

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IDS

Subtype:

Result: ALLOW

Config:

class-map ips_class

match access-list ips_traffic

policy-map global_policy

class ips_class

ips inline fail-open

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 28270972, packet dispatched to next module

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: allow

If I connect to a host that does have a NAT exemption configured, I do see the exemption referenced, and it still works. My code level is 9.6, so I am wondering if Cisco removed the need for the exemption.

David Castro F. · ‎05-29-2016

Hi Colin,

Well usually a NAT exemption is required, on 9.X code introduces the the per-session PAT and multi-session PAT feature, the Per-session feature is enabled by default and is allowed for a better scalability this feature also does not have a Timeout what this means is that you can have more conns (PAT translations over one IP address) than multi-session, now getting back to the initial query, let´s remember that a dynamic NAT is not bidirectional, so you are coming from the VPN client directly to the client IP, and it is allowed. The question is ( is there an object NAT configured for internet that should be matched?), at which line # is the NAT exemption at? what happens if you delete the NAT exemption, or place it as line 1?

Because you are clarifying that the NAT exemption is still being matched, so it seems that somehow is required, though if you see it from the perspective that the dynamic NAT is unidirectional for inside hosts, and the existing flow seems to be: VPN user goes to the ASA and it is allowed since it is a VPN traffic and the "Sysopt connection permit-vpn" allows the traffic and then there is not NAT matched (right here it should matched the NAT exempt, if it doesn't, it is not matching any other NAT for the "outside host") then the traffic just keeps going to the internal host (Session Management Path), afterwards the response should match this flow through the (Fast Path flow), obviously the packet is the encapsulated and encrypted and the other way around as well.

Keep me posted!

Please proceed to rate and mark as correct the helpful post!

David Castro,