Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2084
Views
40
Helpful
22
Replies

Please help troubleshoot specific ASA nat statement need, details...

Go to solution
MicJameson1
VIP Alumni
VIP Alumni

‎01-06-2023 06:54 AM

Hello.
I am new to ASA OS configuration. I am troubleshooting the failing code below...

#object network VENDOR1
   #host 1.1.1.1
#object-group network VPN-Vendor-IP
   #network-object object VENDOR1
#access-list Split-Tunnel extended permit ip host 1.1.1.1 object VPN-Pool

... My goal with this code is for the erected split tunnel to include 1.1.1.1 within the tunnel, so that Anyconnect clients can communicate with the server at 1.1.1.1 . I expect I need a NAT statement.
 
1. What is the code of NAT statement I need?
2. Why do I need this NAT statement / What is the logic within this NAT statement?

Thank you!

Labels:
0 Helpful
22 Replies 22

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-06-2023 12:38 PM

Then logic concludes that my current code is not working because of the existing...

"nat (Inside,Outside) source static VPN-Vendor-IP VPN-Vendor-IP destination static VPN-Pool VPN-Pool" which is assuming 1.1.1.1 is on the inside.

How do I rectify this situation? (I must maintain the above NAT so that the other tunnels don't break.)

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-06-2023 12:41 PM - edited ‎01-06-2023 12:43 PM

@MicJameson1 you've confused me now. Where is 1.1.1.1 is it on the internet (outside interface) or inside your network (inside interface)?

If it's on the inside of your network then use the rule above and add the object of 1.1.1.1 to the group VPN-Vendor-IP.

If its on the outside of the network use the NAT rule I provided earlier.

0 Helpful

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-06-2023 01:19 PM - edited ‎01-06-2023 01:20 PM

The below code already is already running...
---
#nat (Inside,Outside) source static VPN-Vendor-IP VPN-Vendor-IP destination static VPN-Pool VPN-Pool
#object network VPN-Pool
nat (Outside,Outside) dynamic interface
---

I am unsure where remote 1.1.1.1 resides. The ticket does not tell me.

Instead of contacting the client, I'd rather try 2 different possible codes, and see if one works. 

The below code did not work (maybe i botched the input). I will try it again.
#object network VENDOR1
   #host 1.1.1.1
#object-group network VPN-Vendor-IP
   #network-object object VENDOR1
#access-list Split-Tunnel extended permit ip host 1.1.1.1 object VPN-Pool

If it does not work I will add "the NAT rule you provided earlier." What is that NAT rule (or is it already above, which changes our situation)? 
Please reply. Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-06-2023 01:24 PM - edited ‎01-06-2023 01:26 PM

@MicJameson1 are you actually applying # when you enter the command? that won't work

From the core switch, run tracert to the destination (1.1.1.1) and determine the path, whether its inside or outside.

Run packet-tracer from the source to the destination to determine the egress interface and what NAT rule it matches.

The rule I was referring to was in my 2nd reply...

 

@jmaxwellUSAF so it's routed back out the outside interface?

Therefore you need the NAT rule as per your post yesterday...

object network VPN-Pool
 nat (Outside,Outside) dynamic interface

And to allow the traffic to hairpin (ingress/egress out the same interface) use the following command (if not already configured) - same-security-traffic permit intra-interface

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-10-2023 05:50 AM

Hello.

May you please simply explain the executed logic in the below statement? Thank you.

nat (Inside, Outside) source static OBJECT-1 OBJECT-1 destination static OBJECT-2 OBJECT-2

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-10-2023 05:56 AM

@MicJameson1 this is an example of a NAT exemption rule. Traffic between OBJECT-1 and OBJECT-2 is translated to itself, in other words the original source and original destination IP addresses are maintained.

Without this NAT rule traffic from a network within OBJECT-1 on the inside interface destined to OBJECT-2 network might be translated to the outside interface IP address if another dynamic (auto) NAT rule existed.

Go to solution
MicJameson1
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎01-10-2023 06:21 AM

1. Logically speaking, the opposite of...
"nat (Inside, Outside) source static OBJECT-1 OBJECT-1 destination static OBJECT-2 OBJECT-2"
...is...
"nat (Inside, Outside) source static OBJECT-1 destination static OBJECT-2" ?
-----

2. Is the below statement ever used...

"nat (Inside, Outside) source static OBJECT-1 OBJECT-2 destination static OBJECT-1 OBJECT-2"

...or does it do the same thing as ...
"nat (Inside, Outside) source static OBJECT-1 destination static OBJECT-2" ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MicJameson1

‎01-10-2023 06:37 AM - edited ‎01-10-2023 06:42 AM

@MicJameson1 bear this in mind - "nat (inside interface, outside interface) source static ORIGINAL-SRC TRANSLATED-SRC destination static ORIGINAL-DST TRANSLATED-DST".

So no you'd never use "nat (Inside, Outside) source static OBJECT-1 OBJECT-2 destination static OBJECT-1 OBJECT-2" as that would translate OBJECT-1 as the original source to OBJECT-2 as the translated source.

The ASA doesn't allow you to configure - "nat (Inside, Outside) source static OBJECT-1 destination static OBJECT-2"

It would expect the translated source and translated destination.

Customers Also Viewed These Support Documents