Solved: Re: NAT only works in one direction

esa_fresa · ‎06-06-2018

We are sending traffic sourced from the ASA's inside interface over our l2l vpn tunnel. We need to NAT the inside interface's IP address. NAT works when we ping *to* the inside interface over the tunnel; we receive replies and we see hit counts on the NAT statement. When we ping *from* or generate syslog traffic from the inside interface though, the traffic goes out the proper interface (outside) but the NAT isn't hit! Ie. NAT works when the traffic is going outside->inside but not inside->outside.

Our NAT statement looks like this:

nat (any,any) source static obj-inside obj-inside-NAT destination static obj-vpn obj-vpn

But we see the non-NAT'd traffic going out the outside interface!

   9: 08:58:03.305007       802.1Q vlan#2 P0 10.1.1.1.514 > 10.23.45.67.514:  udp 111

Running 5505 on 9.1(7)16.

So the question is, why isn't traffic sourced from our inside interface hitting the NAT statement?

esa_fresa · ‎06-11-2018

So I read on another forum post that the ASA will never NAT traffic sourced from its own address. Looks like that's the issue.
The ASA also doesn't seem to have an "always up" interface like a loopback, so I think i'm out of luck on getting this to work.

View solution in original post

esa_fresa · ‎06-08-2018

Does anyone have any ideas on this?

Bogdan Nita · ‎06-11-2018

Hi @esa_fresa,

Can you post the output from:

packet-tracer input inside icmp <inside-ip> 8 0 <vpn-ip>

esa_fresa · ‎06-11-2018

So I read on another forum post that the ASA will never NAT traffic sourced from its own address. Looks like that's the issue.
The ASA also doesn't seem to have an "always up" interface like a loopback, so I think i'm out of luck on getting this to work.

Bogdan Nita · ‎06-11-2018

That is true, but you have other tools available on the ASA when verifying connections like ping tcp and packet-tracer.

esa_fresa · ‎06-11-2018

Oh for sure, I love the asa model. This is just an annoying limitation of it.