Site To Site - ASA 8.4 code NAT Issue

Dave Christman · ‎06-17-2013

Hello, I have two ASA's doing a site to site tunnel, one with 8.2 code and one with 8.4. I don't have the config handy but I believe I know where the issue is. On the ASA with 8.2 code we have 3 networks inside. I believe that is ok. On the 8.4 ASA I have one network inside which is 10.50.0.0/24. The site that has the 8.4 works on the VPN side if I remove the dynamic NAT but then the internet there breaks. If I add the the dynamic NAT the internet works but the VPN breaks. I believe I need a dynamic NAT and a NAT exemption for the 10.50.0.0/24 network so the tunnel will work. Can you tell me the statement I would need?

Thanks,
Dave

Jouni Forss · ‎06-17-2013

Hi,

I think that your NAT ordering/configuration format is probably causing the problem. You have probably configure the Dynamic PAT at the 8.4 site with too high priority.

If I presume the following base information for site 8.4

Networks 10.10.10.0/24 , 10.10.20.0/24 and 10.10.30.0/24
Interfaces "inside" and "outside"
All the mentioned networks need Dynamic PAT that uses the "outside" interface public IP address

Then you should be fine with the following configurations

Dynamic PAT for LAN networks

This should be the only configurations you need for the Dynamic PAT. You can probably remove the current configuration.
Naturally I dont know your exact setup so I can only guess and give you the below example of the configuration format
The key thing in the below configuration is the "after-auto" parameter. This makes sure that the Dynamic PAT doesnt interfere with other NAT configurations like the NAT0 we are going to configure after this.

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

NAT0 for the L2L VPN connection

Since the below configuration DOESNT use "after-auto" parameter it means that its at the very top of the NAT configurations and therefore the Dynamic PAT rule wont override it.
Naturally the final format of this configurations on your actual network setup. Below is just example of the configurations you might use.

object network REMOTE-LAN

subnet 10.50.0.0 255.255.255.0

object-group network LOCAL-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The above configurations should handle the default Dynamic PAT for Internet traffic and the NAT0 for the L2L VPN connection between the sites.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

Dave Christman · ‎06-17-2013

Hi JouniForss, thank you for your reply. I just want to make sure I understand correctly. The ASA with 8.4 code has a local network of 10.50.0.0/24. The remote network would be the ASA with 8.2 code and those networks can be 10.10.10.0, 10.10.20.0, and 10.10.30.0 as you said. Is the configuration above only for the ASA with 8.4 and if so I would just have to switch the object-group network DEFAULT-PAT-SOURCE to only the 10.50.0.0/24 and the local and remote networks would have to be swapped correct?

Jouni Forss · ‎06-17-2013

Hi,

Sorry I mixed up the sites which had 1 and 3 networks

Here is the correct example configuration

object-group network DEFAULT-PAT-SOURCE

network-object 10.50.0.0 255.255.255.0

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

object network LOCAL-LAN

subnet 10.50.0.0 255.255.255.0

object-group network REMOTE-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

- Jouni

Dave Christman · ‎06-17-2013

Thanks Jouni, we may be implementing this later on.