Solved: Re: Unable to do a Proper nat from AWS Cisco ASA

jigarrg · ‎06-07-2022

Hello All,

I am in need of some help. I have setup a Cisco ASA on AWS and I have VPN connecting to other side for my customer. VPN established successfully but I cannot route my inside EC2 instance for the internet through ASA.

I did tried to put nat statement such as

nat (inside,outside) source static inside_interface interface no-proxy-arp

This works for my EC2 instance to go to internet but then tunnel won't come up.

I don't know what correct Nat statement works in AWS Cisco ASA.

Can Anyone help me determine the correct Nat statement for this? I have attached the configuration I have used for my VPN tunnel WITHOUT NAT right now as both VPN tunnel are doing NAT-T.

MHM Cisco World · ‎06-07-2022

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log

NAT(IN,OUT) source static <ip and subnet ><ip and subnet> destination static host<host> host < host>

View solution in original post

Rob Ingram · ‎06-08-2022

@jigarrg Remove your existing Manual NAT rule for internet access and recreate as an Auto NAT rule.

no nat (inside,outside) source static inside_interface interface no-proxy-arp
!
object network inside_interface
nat (inside,outside) dynamic interface

Create a new Manual NAT rule for NAT exemption of the VPN traffic.

nat (inside,outside) source static inside_interface inside_interface destination static VPN-NET VPN-NET

Replace the inside_interface object if different and create an object to represent the destination host/subnet.

View solution in original post

MHM Cisco World · ‎06-08-2022

for VPN traffic that OK
for internet you need dynamic NAT to NATing private to public IP.

object network inside-subnet

subnet x.x.x.x

nat (inside,outside) dynamic interface

View solution in original post

MHM Cisco World · ‎06-07-2022

no attachment

jigarrg · ‎06-07-2022

Sorry forgot to attach, attaching here.

MHM Cisco World · ‎06-07-2022

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log

NAT(IN,OUT) source static <ip and subnet ><ip and subnet> destination static host<host> host < host>

jigarrg · ‎06-08-2022

@MHM Cisco World What would be my <host> be in this case? Would it be my Outside interface IP or the IP that I define in access-list ?

Coz I did put my Outside interface IP and it did not work.

MHM Cisco World · ‎06-08-2022

same source destination use in ACL of IPSec use in exception NAT.

jigarrg · ‎06-08-2022

But this ACL is used in my Crypto map for my VPN traffic. I don't believe I need the same Host on my NAT statement, correct me if I am wrong.

MHM Cisco World · ‎06-08-2022

why we need NAT exception??
we need it to
exception NAT source and destination for traffic PASS through VPN.

NOW
even if you use only one host not subnet, this exception NAT need to include destination and not NAT it.

Why I need destination ??
for example there is dynamic NAT for host when host want to access internet, so we use dynamic NAT to outside of FW
and same host must connect to other side of VPN

so how we deal with dynamic NAT??
simply we config exception NAT then when FW see Source->destination then the FW will use this NAT and escape the dynamic NAT.
and that why we need to include destination in NAT it inform the FW that this traffic will pass through VPN not go to internet.

Rob Ingram · ‎06-08-2022

@jigarrg Remove your existing Manual NAT rule for internet access and recreate as an Auto NAT rule.

no nat (inside,outside) source static inside_interface interface no-proxy-arp
!
object network inside_interface
nat (inside,outside) dynamic interface

Create a new Manual NAT rule for NAT exemption of the VPN traffic.

nat (inside,outside) source static inside_interface inside_interface destination static VPN-NET VPN-NET

Replace the inside_interface object if different and create an object to represent the destination host/subnet.

jigarrg · ‎06-08-2022

Thank you @Rob Ingram and @MHM Cisco World for the detailed explanation.

I did put in nat Statement as you recommended and it did not dropped the VPN traffic and seeing hits on NAT translations as well.

But still the same host (which is used by VPN) cannot reach out to internet?

FYI, my VPN was working without a NAT statement but not the internet without the NAT statement.

Rob Ingram · ‎06-08-2022

@jigarrg please provide the output of "show nat detail", tell us the source ip address that cannot access the internet.

Run packet-tracer from the CLI to simulate the traffic flow of the host accessing the internet. E.g.

packet-tracer input <interfacename> tcp <host> 3000 8.8.8.8 80

jigarrg · ‎06-08-2022

Hi Rob,

Here is the output of NAT statement

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static ec2_instance ec2_instance  destination static VPN_host1 VPN_host1
    translate_hits = 117, untranslate_hits = 117
    Source - Origin: 172.32.3.126/32, Translated: 172.32.3.126/32
    Destination - Origin: 139.60.155.5/32, Translated: 139.60.155.5/32
2 (inside) to (outside) source static ec2_instance ec2_instance  destination static VPN_host2 VPN_host2
    translate_hits = 119, untranslate_hits = 119
    Source - Origin: 172.32.3.126/32, Translated: 172.32.3.126/32
    Destination - Origin: 139.60.155.4/32, Translated: 139.60.155.4/32

and Packet tracer output

AwsCiscoASAv(config)# packet-tracer input inside tcp 172.32.3.126 3000 8.8.8.8$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 6622 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 8729 ns
Config:
Additional Information:
Found next-hop 172.32.4.1 using egress ifc  outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6471 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6471 ns
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 11739 ns
Config:
Additional Information:

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 3311 ns
Config:
access-group inside_out out interface outside
access-list inside_out extended deny ip any any log
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Time Taken: 43343 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000563490cb1eb5 flow (NA)/NA

Here is my access-list I am using where its allowing inside host to ping out and same for outside_in

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log
access-list CS-VPN--INSIDE-IN extended permit icmp host <host> host <host> log
access-list CS-VPN--INSIDE-IN extended permit icmp host <host> host <host> log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq www log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq www log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq 443 log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq 443 log
access-list CS-VPN--INSIDE-IN extended deny ip any any log
access-list CS-TO--ED2 extended permit ip <ip and subnet> host <host> log
access-list outside_in extended permit icmp any any log debugging
access-list outside_in extended deny ip any any log debugging
access-list inside_out extended permit icmp host <host> any log
access-list inside_out extended permit tcp host <host> any eq https log
access-list inside_out extended permit udp host <host> any eq domain log
access-list inside_out extended deny ip any any log

Rob Ingram · ‎06-08-2022

@jigarrg well you've got an inside_out ACL that doesn't appear to permit "http" traffic so that's why the packet-tracer failed, try again with https.

Also you've not got the Auto NAT rule for internet access nat, as per the suggestion/example above.

MHM Cisco World · ‎06-08-2022

for VPN traffic that OK
for internet you need dynamic NAT to NATing private to public IP.

object network inside-subnet

subnet x.x.x.x

nat (inside,outside) dynamic interface

jigarrg · ‎06-08-2022

@Rob Ingram and @MHM Cisco World This worked. YAY!!!

Thank you very much for all the detailed explanation and guiding me through the process of NAT.