cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
0
Helpful
5
Replies

Site-2-Site Internet headend

Stuart-ITGL
Level 1
Level 1

We're in the process of moving some services up into the cloud.  We have the S-2-S setup and working between Head Office and the cloud and want the servers to use the internet at the headend.  As it stands, the servers can ping our Outside interface but can't get to next-hop address and thus the wider internet.

 

We also need to be able to connect to the cloud through our existing Anyconnect tunnel which is working now.

 

I believe it's a NAT issue I'm hitting but not sure how to fix it - tried many things reading off of here already and either doesn't work or completely cuts off the hosts on the cloud.

 

nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 no-proxy-arp route-lookup
nat (dmz,outside) source static NETWORK_OBJ_172.16.12.0_24 NETWORK_OBJ_172.16.12.0_24 destination static Milton-Subnets Milton-Subnets no-proxy-arp route-lookup
nat (any,outside) source static any any destination static AWS AWS no-proxy-arp
!
object network VPN_Pool
 nat (any,outside) dynamic interface
object network LILIN_NVR_Server
 nat (inside,outside) static interface service tcp www h323 
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network ITGL-AD1_internal
 nat (dmz,outside) static ITGL-AD1_external service tcp ldaps ldaps 
object network ITGL-Duo_internal-DAG
 nat (dmz,outside) static ITGL-Duo_external-DAG
object network ITGL-Duo_internal-NG
 nat (dmz,outside) static ITGL-Duo_external-NG
object network CUBE-1000v-webex_internal
 nat (dmz,outside) static CUBE-1000v-webex_external
object network CUBE-1000v-PSTN_internal
 nat (any,outside) dynamic interface
object network dmz2-subnet
 nat (any,outside) dynamic interface
object network AWS
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (dmz,outside) after-auto source static dmz-subnet dmz-subnet destination static VPN_Pool VPN_Pool

Can anyone shed some light on where I'm going wrong please?

 

TIA

5 Replies 5

Hi,
I assume you've modified the crypto ACL to allow all traffic to be tunneled back to the headend ASA?

You will need the command "same-security-traffic intra-interface" on the headend ASA, in order for traffic to be hairpinned and routed back out of the outside interface.

HTH

The crypto map is allowing anything up to the cloud - I can't say what the cloudy end is allowing as I don't have access to that.

 

The "same-security-traffic intra-interface" command has been enabled on the headend ASA already in the past but I have double-checked and it's still in use

Run a packet capture to ensure your ASA is even receiving the internet traffic from the cloud network. You'll need to get someone to check the configuration of the cloud VPN configuration.

Can you run packet tracer on the ASA to confirm traffic would be allowed or dropped. E.g "packet-tracer input outside tcp <cloud net> 2000 8.8.8.8 80". That will identify whether the traffic will be permitted via the ACL and which NAT rule natted the traffic. Upload the output for review.

HTH

See below for the packet-tracer:

# packet-tracer input outside tcp 10.254.254.1 2000 8.8.8.8 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 31.210.130.113 using egress ifc  outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,outside) source static any any destination static AWS AWS no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 8.8.8.8/80 to 8.8.8.8/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I can ping from the cloud to the outside interface on the ASA going across the S-2-S but can't get to the next hop address and subsequently the rest of the internet

Is this nat rule "nat (any,outside) source static any any destination static AWS AWS no-proxy-arp" intended for NAT exemption between the cloud and the headend network? You may want to replace "any any" with more specific object for the local network behind the ASA.

 

The NAT rule below is what I expect the AWS traffic should hit when accessing the internet.

 

object network AWS
nat (any,outside) dynamic interface

HTH