Policy Nat
Hi all,
Please can someone explain when I should I use Policy Nat?
thanks.
Hi Mike,
Will this be a configuration of policy?
access-list PolicyNAT-Cust1 extended permit ip host Oracle 142.101.64.0 255.255.255.0
access-list PolicyNAT-Cust1 extended permit ip host Oracle 142.101.65.0 255.255.255.0
nat (DMZ-MGMT) 10 access-list PolicyNAT-Cust1 outside
Thanks.
Similar Messages
-
Static Policy NAT in VPN conflicts with Static NAT
I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
interface Vlan1
ip address 192.168.10.1 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
static (inside,outside) 192.168.24.0 access-list VPN
crypto map outside_map 1 match address outside_1_cryptomap
In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
What am I missing?Hi,
To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
So I am not sure are we looking at some bug or what the problem is.
I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
access-list STATICPAT-SMTP permit tcp host eq smtp any
static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
access-list STATICPAT-HTTPS permit tcp host eq https any
static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
access-list STATICPAT-RDP permit tcp host eq 3389 any
static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
access-list STATICPAT-POP3 permit tcp host eq pop3 any
static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
Naturally you would add the Static Policy NAT for the VPN first.
Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
Remember that you should be able to test the translations with the "packet-tracer" command
For example
packet-tracer input outside tcp 1.1.1.1 12345
- Jouni -
I'm evaluating the SA500 series. Running v1.1.42. I do not immediately see a way to do policy-nat. Does the feature not exist?
It would be like-
access-list POLICY_NAT extended permit ip
static (inside,outside) access-list POLICY_NAT
access-list OUTSIDE_CRYPTOMAP extended permit ip < destination >
Thanks
Ajay -
I have an internal firewall between two private networks.
I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses
the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works
heres the config
global (outside) 1 10.130.29.2
nat (inside) 1 access-list nat
access-list nat deny ip host 10.7.2.206 any
access-list nat deny ip host 10.7.2.207 any
access-list nat permit ip any any
ive added:
object-group network SERVERS
network-object host 195.104.88.151
network-object host 195.104.88.152
network-object host 195.104.88.153
access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23
global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128
nat (inside) 2 access-list serv_acl
the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.
Is the subnet mask correct for the pool?
any help appreciated.Hi,
So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
I think this is because of the NAT ordering.
I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
no global (outside) 1 10.130.29.2
no nat (inside) 1 access-list nat
global (outside) 100 10.130.29.2
nat (inside) 100 access-list nat
Then perhaps "clear xlate" if situation permits.
This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
Can you try this out and see how it goes.
- Jouni -
Hi Dears.
I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be 10.193.115.11 but our local subnet is
10.103.70.0/24. our local subnet is also access to internet.
local subnet: 10.10.3.70.0/24
peer local subnet: 10.193.128.11/23
i think that i must be do policy nat.
1. ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
2. ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
3.ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
And i have also PAT Nat for local user.
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
is this configuration rigth?
please write your comment.
thanks.ok. thanks.
at last our configuration is that:
access-list 100 deny ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
access-list 100 permit ip 10.103.70.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet0/0 overload
for vpn traffic:
ip nat pool mswpool 10.193.115.1 10.193.115.14 netmask 255.255.255.240
ip nat inside source list nat-ipsec pool mswpool
ip access-list extended vpn-traffic
permit ip 10.193.115.0 0.0.0.255 10.193.128.0 0.0.1.255
ip access-list extended nat-ipsec
permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255
you said that this configuration is help me for my aim.
thanks again. -
PDM does not support Policy nat
I have had to build a vpn on a pix 6.34 using policy nat, however this has now made the pdm pratically unusable, is there a way to do this without disabling the pdm?
Yes it is possible to configure NAT with PDM. Make sure the static NAT configuration is right.
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694. For example static (DMZ, inside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0 . Format should always be Static(DMZ, *) if x.x.x.x is on DMZ. -
Policy NAT 8.6(1)2 Windows Server Cluster
We have 2 email servers in a cluster on the network. I have the cluster IP address configured for Object static NAT. This works great for email coming into our organization. However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address. Thus, the NAT'd address is different than for incoming. It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP. This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers. I've attached a diagram. If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
Thanks,
AndrewHi,
The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
MAIL SERVER STATIC NAT
object network MAIL-SERVER
host 10.0.0.1
nat (inside,outside) static 10.10.10.140
The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
MAIL SERVER DYNAMIC PAT
object-group network MAIL-PAT-SOURCE
network-object host 10.0.0.1
network-object host 10.0.0.2
network-object host 10.0.0.3
object network MAIL-SERVER-PUBLIC
host 10.10.10.140
nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
The above is a normal Dynamic PAT configuration (no Policy elements involved).
The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
DEFAULT DYNAMIC PAT FOR USERS
nat (inside,outside) after-auto source dynamic any interface
The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
I wonder if I made this out to be more complicated than it needs to be
I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA policy-nat is working but acl is not hit
Hope you guys can help explain why is it working this strange. Thank you.
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
ciscoasa(config)# show access-list
access-list NET1 line 1 extended permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 (hitcnt=0) 0x19580e75
ciscoasa(config)# show xlate
3 in use, 4 most used
Global 192.168.100.100 Local 10.1.2.27
ciscoasa(config)# show nat
NAT policies on Interface inside:
match ip inside 10.1.2.27 255.255.255.255 outside 10.76.5.0 255.255.255.224
static translation to 192.168.100.100
translate_hits = 9, untranslate_hits = 28Hi,
It seems as if this is the behavior with access lists that are associated with NAT. I did a few checks around the support forums and found that this could be the issue and there isnt anything to worry about. However if you can move this thread to the firewalling community I am sure they will be able to confirm this for you.
Tarik Admani
*Please rate helpful posts* -
Policy Nat ASA 8.6(1)
Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration. I believe I have most of it correct, but this one issue persists that I'm trying to get resolved. There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:
global (outside) 3 192.168.201.0
global (outside) 4 192.168.205.0
nat (inside) 4 access-list NAT1 0 0
nat (inside) 3 access-list NAT 0 0
access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215
This works fine. On the ASA I tried using this:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd). I cleared this and tried it again w/ the following:
object network obj-10.100.3.215
host 10.100.3.215
object-group network obj-192.168.205.0_2
network-object 192.168.205.0 255.255.255.0
object-group network obj-192.168.201.0_2
network-object 192.168.201.0 255.255.255.0
object-group network obj-192.168.105.0_2
network-object 192.168.105.0 255.255.255.0
object-group network obj-192.168.101.0_2
network-object 192.168.101.0 255.255.255.0
nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails. Is the syntax correct? I asked for a trace-route from the pc at the time it failed but it wasn't provided.I am trying to replace an asa 5510 with an asa 5515x. When I try the same nat command as listed above I get this message
"ERROR: This syntax of nat command has been deprecated."
Is there an alternative to nat to an access-list?
Thanks. -
Hi. I have a client with a failover 5520 pair. Two DMZs. The client wants to see "some" DMZ servers using the servers' PUBLIC IP addresses "as well as" the DMZ addresses. Is this even possible? If not, it it possible to see some via their translated public IPs and others with the local DMZ addresses? Confused....
Hello,
It's quite possible to have DMZ ip addresses connected to by the 'inside' and have those same servers also connected to by the internet on their public IP addresses (assuming your DMZ is privately addressed and NAT is set up from outside-->dmz)
Is this what you are asking?
--Jason -
IPSec tunnel and policy NAT question
Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10 (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside -
Cisco ASA Site to Site IPSEC VPN and NAT question
Hi Folks,
I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
ASA2 is at HQ and ASA1 is a remote site. I have no problem setting up a static static Site to Site IPSEC VPN between sites. Hosts residing at 10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16 will communicate with hosts at 192.168.1.0/24 with translated addresses
Just an example:
Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet should be the same in this case .5)
The same translation for the rest of the communication (Host N2 pings host N3 destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
It sounds a bit confusing for me but i have seen this type of setup before when I worked for managed service provider where we had connection to our clients (Site to Site Ipsec VPN with NAT, not sure how it was setup)
Basically we were communicating with client hosts over site to site VPN but their real addresses were hidden and we were using translated address as mentioned above 10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the same.
Appreciate if someone can shed some light on it.Hi,
Ok so were going with the older NAT configuration format
To me it seems you could do the following:
Configure the ASA1 with Static Policy NAT
access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
access-list INSIDE-NONAT remark L2LVPN NONAT
access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NONAT
You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network
ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
I could test this setup tomorrow at work but let me know if it works out.
Please rate if it was helpful
- Jouni -
ASA IPsec Remote Access VPN | NAT Question
We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni -
ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)
Greetings all. I've searched through the forums and have found some similar situations to mine but nothing specific. I'm hoping this is an easy fix... :/
I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4). They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images. Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already. So...
The network admin on the Fortinet side assinged me 172.31.1.0/24. I have established a connection but obviously, cannot route anywhere to the other side. Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
Thank you in advance everyone.Hello Chris,
For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
Basically the NAT configuration will be like this:
object network Local-net
subnet 192.168.1.0 255.255.255.0
object network Translated-net
subnet 172.31.1.0 255.255.255.0
object network Fortinet-net
subnet 10.10.115.0 255.255.255.0
nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
Obviously, you can change the name of the objects.
Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
Let me know if you have any doubts.
Daniel Moreno
Please rate any posts you find useful -
ASA rpf-check DROP, ASA checking NAT in the incorrect interface
Hi
My current architecture is :
Internet <--> FW <--> ASA <--> LAN
FW <--> ASA
we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
the "vpn" interface is used to grant access to our LANs from remote Offices
let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
below the current configuration :
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0
interface GigabitEthernet0/2
nameif vpn
security-level 0
ip address 192.168.12.2 255.255.255.0
object-group network Inside_LANs
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo
access-list Inside-to-outside extended permit udp any host TimeServer eq ntp
access-list Inside-to-outside extended permit ip object-group Inside_LANs any
global (outside) 1 interface
global (outside) 2 192.168.11.60 netmask 255.255.255.255
nat (inside) 1 access-list Inside-to-outside
nat (inside) 2 192.168.6.0 255.255.255.0
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255
static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.13
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list Inside-to-outside
match udp inside any inside host TimeServer eq 123
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
remote office 192.168.20.55 to 192.168.2.10
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255
match ip inside host 192.168.2.10 outside any
static translation to 192.168.11.10
translate_hits = 76643, untranslate_hits = 188597
Additional Information:
example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.4.40
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list Inside-to-outside
match ip inside 192.168.4.0 255.255.255.0 vpn any
dynamic translation to pool 1 (No matching global)
translate_hits = 1, untranslate_hits = 0
Additional Information:
example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
remote office 192.168.20.55 to 192.168.6.30
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 192.168.6.0 255.255.255.0
match ip inside 192.168.6.0 255.255.255.0 vpn any
dynamic translation to pool 2 (No matching global)
translate_hits = 117, untranslate_hits = 0
Additional Information:
our questions :
1) why ASA don't check the reverse path route before checking the NAT ?
if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
when ASA check a server with static NAT it find a match in the outside interface but even so it discard it and the connection Work. (example 2)
when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
why ASA checking the global NAT even if it's not the correct interface ?
Why it's working for static NAT and not working for the dynamic one ?
Thanks a lotHi,
It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
But to me the situation in its current form looks the following.
Example 1
To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
Example 2
This seems to be working as expected also.
According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
Example 3 and 4
These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
Hope this helps :)
- Jouni
Maybe you are looking for
-
HT204074 So a family needs to use the same apple id accross all devices?
If I am understanding this correctly, a family used computer with different log ids will have to use the same apple id. Is this correct?
-
TellTarget to play a movie clip within a movie clip
I currently have two movie clips in my scene with a button that lies inside one of the movie clips. We will call this movie clip for the sake of this post "ph." The button inside of ph has a rollOver/rollOut movie clip called "Buick_rollOut" attached
-
Hp psc 1210 all in one printer feeding error
I have a model 1210 all in one printer and it will not feed paper. it sounds like something its working, but not gripping the paper. PLEASE ADVISE
-
Problem in sending pictures through bbm or whatsapp
When I am sending picture from my BB Bold 9900, I am getting the following message: "Upload failed: JSONException: A JSONObject text must begin with '{' at character 0 of...." Eventually the picture is going, but it is received blurred at the receive
-
Overiding Cost Center to Profit Center
Dear all, I know this is not related to MDM, but i would appreciate if i can get an reply. Is it possible to override an existing Cost Center to a Profit Center? Is there any tool that can do it? What will be the impact if it is done so. Best Regards