cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
20
Helpful
15
Replies

Unable to do a Proper nat from AWS Cisco ASA

jigarrg
Level 1
Level 1

Hello All,

 

I am in need of some help. I have setup a Cisco ASA on AWS and I have VPN connecting to other side for my customer. VPN established successfully but I cannot route my inside EC2 instance for the internet through ASA.

 

I did tried to put nat statement such as 

nat (inside,outside) source static inside_interface interface no-proxy-arp

 

This works for my EC2 instance to go to internet but then tunnel won't come up. 

I don't know what correct Nat statement works in AWS Cisco ASA. 

 

Can Anyone help me determine the correct Nat statement for this? I have attached the configuration I have used for my VPN tunnel WITHOUT NAT right now as both VPN tunnel are doing NAT-T.

3 Accepted Solutions

Accepted Solutions

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log

 

NAT(IN,OUT) source static <ip and subnet ><ip and subnet> destination static host<host> host < host>

View solution in original post

@jigarrg Remove your existing Manual NAT rule for internet access and recreate as an Auto NAT rule.

 

no nat (inside,outside) source static inside_interface interface no-proxy-arp
!
object network inside_interface
nat (inside,outside) dynamic interface

Create a new Manual NAT rule for NAT exemption of the VPN traffic.

nat (inside,outside) source static inside_interface inside_interface destination static VPN-NET VPN-NET

 Replace the inside_interface object if different and create an object to represent the destination host/subnet.

View solution in original post

for VPN traffic that OK
for internet  you need dynamic NAT to NATing private to public IP.

object network inside-subnet

 subnet x.x.x.x 

 nat (inside,outside) dynamic interface

View solution in original post

15 Replies 15

no attachment 

jigarrg
Level 1
Level 1

Sorry forgot to attach, attaching here.

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log

 

NAT(IN,OUT) source static <ip and subnet ><ip and subnet> destination static host<host> host < host>

@MHM Cisco World What would be my <host> be in this case? Would it be my Outside interface IP or the IP that I define in access-list ?

Coz I did put my Outside interface IP and it did not work. 

same source destination use in ACL of IPSec use in exception NAT.

But this ACL is used in my Crypto map for my VPN traffic. I don't believe I need the same Host on my NAT statement, correct me if I am wrong.

why we need NAT exception??
we need it to 
exception NAT source and destination for traffic PASS through VPN.

NOW 
even if you use only one host not subnet, this exception NAT need to include destination and not NAT it.

Why I need destination ??
for example there is dynamic NAT for host when host want to access internet, so we use dynamic NAT to outside of FW
and same host must connect to other side of VPN 

so how we deal with dynamic NAT??
simply we config exception NAT then when FW see Source->destination then the FW will use this NAT and escape the dynamic NAT.
and that why we need to include destination in NAT it inform the FW that this traffic will pass through VPN not go to internet.

@jigarrg Remove your existing Manual NAT rule for internet access and recreate as an Auto NAT rule.

 

no nat (inside,outside) source static inside_interface interface no-proxy-arp
!
object network inside_interface
nat (inside,outside) dynamic interface

Create a new Manual NAT rule for NAT exemption of the VPN traffic.

nat (inside,outside) source static inside_interface inside_interface destination static VPN-NET VPN-NET

 Replace the inside_interface object if different and create an object to represent the destination host/subnet.

jigarrg
Level 1
Level 1

Thank you @Rob Ingram  and @MHM Cisco World for the detailed explanation. 

I did put in nat Statement as you recommended and it did not dropped the VPN traffic and seeing hits on NAT translations as well.

 

But still the same host (which is used by VPN) cannot reach out to internet?


FYI, my VPN was working without a NAT statement but not the internet without the NAT statement. 

@jigarrg please provide the output of "show nat detail", tell us the source ip address that cannot access the internet.

Run packet-tracer from the CLI to simulate the traffic flow of the host accessing the internet. E.g.

 

packet-tracer input <interfacename> tcp <host> 3000 8.8.8.8 80

Hi Rob,

 

Here is the output of NAT statement 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static ec2_instance ec2_instance  destination static VPN_host1 VPN_host1
    translate_hits = 117, untranslate_hits = 117
    Source - Origin: 172.32.3.126/32, Translated: 172.32.3.126/32
    Destination - Origin: 139.60.155.5/32, Translated: 139.60.155.5/32
2 (inside) to (outside) source static ec2_instance ec2_instance  destination static VPN_host2 VPN_host2
    translate_hits = 119, untranslate_hits = 119
    Source - Origin: 172.32.3.126/32, Translated: 172.32.3.126/32
    Destination - Origin: 139.60.155.4/32, Translated: 139.60.155.4/32

and Packet tracer output

AwsCiscoASAv(config)# packet-tracer input inside tcp 172.32.3.126 3000 8.8.8.8$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 6622 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Elapsed time: 8729 ns
Config:
Additional Information:
Found next-hop 172.32.4.1 using egress ifc  outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 6471 ns
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 6471 ns
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype:
Result: ALLOW
Elapsed time: 11739 ns
Config:
Additional Information:

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 3311 ns
Config:
access-group inside_out out interface outside
access-list inside_out extended deny ip any any log
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Time Taken: 43343 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000563490cb1eb5 flow (NA)/NA

Here is my access-list I am using where its allowing inside host to ping out and same for outside_in

access-list CS-TO--ED extended permit ip <ip and subnet> host <host> log
access-list CS-VPN--INSIDE-IN extended permit icmp host <host> host <host> log
access-list CS-VPN--INSIDE-IN extended permit icmp host <host> host <host> log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq www log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq www log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq 443 log
access-list CS-VPN--INSIDE-IN extended permit tcp host <host> host <host> eq 443 log
access-list CS-VPN--INSIDE-IN extended deny ip any any log
access-list CS-TO--ED2 extended permit ip <ip and subnet> host <host> log
access-list outside_in extended permit icmp any any log debugging
access-list outside_in extended deny ip any any log debugging
access-list inside_out extended permit icmp host <host> any log
access-list inside_out extended permit tcp host <host> any eq https log
access-list inside_out extended permit udp host <host> any eq domain log
access-list inside_out extended deny ip any any log

@jigarrg well you've got an inside_out ACL that doesn't appear to permit "http" traffic so that's why the packet-tracer failed, try again with https.

 

Also you've not got the Auto NAT rule for internet access nat, as per the suggestion/example above.

for VPN traffic that OK
for internet  you need dynamic NAT to NATing private to public IP.

object network inside-subnet

 subnet x.x.x.x 

 nat (inside,outside) dynamic interface

@Rob Ingram and @MHM Cisco World This worked. YAY!!!

Thank you very much for all the detailed explanation and guiding me through the process of NAT.