Policy Nat

Similar Messages

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• SA520 policy-nat for IPsec

  I'm evaluating the SA500 series.  Running v1.1.42.  I do not immediately see a way to do policy-nat.  Does the  feature not exist?

  It would be like-
  access-list POLICY_NAT extended permit ip  
  static (inside,outside)    access-list POLICY_NAT
  access-list OUTSIDE_CRYPTOMAP extended permit ip < destination >
  Thanks
  Ajay

• Policy nat address pool

  I have an internal firewall between two private networks.
  I want all addrssing on the inside to use the gobal and I want any internal address destined for a group of servers on port 23 on the external to use a pool of addreses
  the inside network is 10.0.0.0/8 and the destination subnet is 10.130.29.0/25. routes exist and connectivity works
  heres the config
  global (outside) 1 10.130.29.2
  nat (inside) 1 access-list nat
  access-list nat deny ip host 10.7.2.206 any
  access-list nat deny ip host 10.7.2.207 any
  access-list nat permit ip any any
  ive added:
  object-group network SERVERS
    network-object host 195.104.88.151
    network-object host 195.104.88.152
    network-object host 195.104.88.153
  access-list serv_acl permit tcp 10.0.0.0 255.0.0.0 object-group SERVERS eq 23
  global (outside) 2 10.130.29.117-10.130.29.126 netmask 255.255.255.128
  nat (inside) 2 access-list serv_acl
  the SERVERS are destined for another network byond the firewall but I need to translate any address from the internal to pool 2. I can connect using the global but after applying the added config above the connection is still using the global. the xlate was cleared.
  Is the subnet mask correct for the pool?
  any help appreciated.

  Hi,
  So you say that your traffic is hitting the original Dynamic Policy PAT rule after configuring the new Dynamic Policy NAT rule?
  I think this is because of the NAT ordering.
  I am not sure if the "ID" of the NAT configuration has any meaning but I would try changing the NAT configuration in the following way
  no global (outside) 1 10.130.29.2
  no nat (inside) 1 access-list nat
  global (outside) 100 10.130.29.2
  nat (inside) 100 access-list nat
  Then perhaps "clear xlate" if situation permits.
  This should do so that the new Dynamic Policy NAT rule is the first to be matched and the original rule comes after that.
  Notice that the original rule has a "permit ip any any" ACL rule which matches all traffic. So everything gets matched to it and wont get matched to the new rule.
  Can you try this out and see how it goes.
  - Jouni

• Policy Nat on cisco router

  Hi Dears.
  I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be  10.193.115.11 but our local subnet is
  10.103.70.0/24. our local subnet is also access to internet.
  local subnet: 10.10.3.70.0/24
  peer local  subnet: 10.193.128.11/23
  i think that i must be do policy nat.
  1. ip access-list extended vpn-traffic  
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  2. ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  3.ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  And i have also PAT Nat for local user.
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  is this configuration rigth?
  please write your comment.
  thanks.

  ok. thanks.
  at last our configuration is that:
  access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  access-list 100 permit ip 10.103.70.0 0.0.0.255 any
  ip nat inside source list 100 interface GigabitEthernet0/0 overload
  for vpn traffic:
  ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240
    ip nat inside source list nat-ipsec pool mswpool
  ip access-list extended vpn-traffic 
  permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255
  ip access-list extended nat-ipsec
  permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255
  you said that this configuration is help me for my aim.
  thanks again.

• PDM does not support Policy nat

  I have had to build a vpn on a pix 6.34 using policy nat, however this has now made the pdm pratically unusable, is there a way to do this without disabling the pdm?

  Yes it is possible to configure NAT with PDM. Make sure the static NAT configuration is right.
  http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/s.html#wp1026694. For example static (DMZ, inside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0 . Format should always be Static(DMZ, *) if x.x.x.x is on DMZ.

• Policy NAT 8.6(1)2 Windows Server Cluster

  We have 2 email servers in a cluster on the network.  I have the cluster IP address configured for Object static NAT.  This works great for email coming into our organization.  However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address.  Thus, the NAT'd address is different than for incoming.  It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP.  This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers.  I've attached a diagram.  If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
  Thanks,
  Andrew

  Hi,
  The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
  Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
  MAIL SERVER STATIC NAT
  object network MAIL-SERVER
  host 10.0.0.1
  nat (inside,outside) static 10.10.10.140
  The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
  MAIL SERVER DYNAMIC PAT
  object-group network MAIL-PAT-SOURCE
  network-object host 10.0.0.1
  network-object host 10.0.0.2
  network-object host 10.0.0.3
  object network MAIL-SERVER-PUBLIC
  host 10.10.10.140
  nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
  The above is a normal Dynamic PAT configuration (no Policy elements involved).
  The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
  I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
  nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
  DEFAULT DYNAMIC PAT FOR USERS
  nat (inside,outside) after-auto source dynamic any interface
  The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
  I wonder if I made this out to be more complicated than it needs to be
  I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA policy-nat is working but acl is not hit

  Hope you guys can help explain why is it working this strange. Thank you.
  access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
  static (inside,outside) 192.168.100.100 access-list NET1
  ciscoasa(config)# show access-list
  access-list NET1 line 1 extended permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 (hitcnt=0) 0x19580e75
  ciscoasa(config)# show xlate
  3 in use, 4 most used
  Global 192.168.100.100 Local 10.1.2.27
  ciscoasa(config)# show nat
  NAT policies on Interface inside:
    match ip inside 10.1.2.27 255.255.255.255 outside 10.76.5.0 255.255.255.224
      static translation to 192.168.100.100
      translate_hits = 9, untranslate_hits = 28

  Hi,
  It seems as if this is the behavior with access lists that are associated with NAT. I did a few checks around the support forums and found that this could be the issue and there isnt anything to worry about. However if you can move this thread to the firewalling community I am sure they will be able to confirm this for you.
  Tarik Admani
  *Please rate helpful posts*

• Policy Nat ASA 8.6(1)

  Going from a Pix 515E to an ASA 5515 and trying to mirror the configuration.  I believe I have most of it correct, but this one issue persists that I'm trying to get resolved.  There are a number of vpn tunnels that terminate on the Pix and on some of them the remote party has an overlapping subnet so to remedy this the following configuration was used:
  global (outside) 3 192.168.201.0
  global (outside) 4 192.168.205.0
  nat (inside) 4 access-list NAT1 0 0
  nat (inside) 3 access-list NAT 0 0
  access-list NAT permit ip 192.168.101.0 255.255.255.0 host 10.100.3.215
  access-list NAT1 permit ip 192.168.105.0 255.255.255.0 host 10.100.3.215
  This works fine.  On the ASA I tried using this:
  object network obj-10.100.3.215
   host 10.100.3.215
  object-group network obj-192.168.105.0_2
   network-object 192.168.105.0 255.255.255.0
  object-group network obj-192.168.101.0_2
   network-object 192.168.101.0 255.255.255.0
  nat (inside,outside) source dynamic obj-192.168.101.0_2 obj-192.168.201.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
  nat (inside,outside) source dynamic obj-192.168.105.0_2 obj-192.168.205.0_3 destination static obj-10.100.3.215 obj-10.100.3.215
  That didn't work (the tunnel was up because I have a number of other subnets that were able to access the remote party, but not the 2 that need to be nat'd).  I cleared this and tried it again w/ the following:
  object network obj-10.100.3.215
  host 10.100.3.215
  object-group network obj-192.168.205.0_2
   network-object 192.168.205.0 255.255.255.0
  object-group network obj-192.168.201.0_2
   network-object 192.168.201.0 255.255.255.0
  object-group network obj-192.168.105.0_2
   network-object 192.168.105.0 255.255.255.0
  object-group network obj-192.168.101.0_2
   network-object 192.168.101.0 255.255.255.0
  nat (inside,outside) source static obj-192.168.101.0_2 obj-192.168.105.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
  nat (inside,outside) source static obj-192.168.105.0_2 obj-192.168.205.0_2 destination static obj-10.100.3.215 obj-10.100.3.215
  If I do a packet-tracer trace it appears to nat properly to a 205.x address, but when I actually attempt it from the pc it fails.  Is the syntax correct?  I asked for a trace-route from the pc at the time it failed but it wasn't provided.

  I am trying to replace an asa 5510 with an asa 5515x.  When I try the same nat command as listed above I get this message
  "ERROR: This syntax of nat command has been deprecated."
  Is there an alternative to nat to an access-list?
  Thanks.

• Policy NAT on ASA

  Hi. I have a client with a failover 5520 pair. Two DMZs. The client wants to see "some" DMZ servers using the servers' PUBLIC IP addresses "as well as" the DMZ addresses. Is this even possible? If not, it it possible to see some via their translated public IPs and others with the local DMZ addresses? Confused....

  Hello,
  It's quite possible to have DMZ ip addresses connected to by the 'inside' and have those same servers also connected to by the internet on their public IP addresses (assuming your DMZ is privately addressed and NAT is set up from outside-->dmz)
  Is this what you are asking?
  --Jason

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• Cisco ASA Site to Site IPSEC VPN and NAT question

  Hi Folks,
  I have a question regarding both Site to Site IPSEC VPN and NAT. Basically what I want to achieve is to do the following:
  ASA2  is at HQ and ASA1 is a remote site. I have no problem setting up a  static static Site to Site IPSEC VPN between sites. Hosts residing at  10.1.0.0/16 are able to communicate with hosts at 192.168.1.0/24, but  what i want is to setup NAT with IPSEC VPN so that host at 10.1.0.0/16  will communicate with hosts at 192.168.1.0/24 with translated addresses
  Just an example:
  Host N2 (10.1.0.1/16) will communicate with host N1 192.168.1.5 with  destination lets say 10.23.1.5 not 192.168.1.5 (Notice the last octet  should be the same in this case .5)
  The same  translation for the rest of the communication (Host N2 pings host N3  destination ip 10.23.1.6 not 192.168.1.6. again last octet is the same)
  It sounds a bit confusing for me but i have seen this type of setup  before when I worked for managed service provider where we had  connection to our clients (Site to Site Ipsec VPN with NAT, not sure how  it was setup)
  Basically we were communicating  with client hosts over site to site VPN but their real addresses were  hidden and we were using translated address as mentioned above  10.23.1.0/24 instead of (real) 192.168.1.0/24, last octet should be the  same.
  Appreciate if someone can shed some light on it.

  Hi,
  Ok so were going with the older NAT configuration format
  To me it seems you could do the following:
  Configure the ASA1 with Static Policy NAT 
  access-list L2LVPN-POLICYNAT permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  static (inside,outside) 10.23.1.0 access-list L2LVPN-POLICYNAT
  Because the above is a Static Policy NAT it means that the translation will only be done when the destination network is 10.1.0.0/16
  If you for example have a basic PAT configuration for inside -> outside traffic, the above NAT configuration and the actual PAT configuration wont interfere with eachother
  On ASA2 side you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network 
  access-list INSIDE-NONAT remark L2LVPN NONAT
  access-list INSIDE-NONAT permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  nat (inside) 0 access-list INSIDE-NONAT
  You will have to take into consideration that your access-list defining the L2L-VPN encrypted traffic must reflect the new NAT network 
  ASA1: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  ASA2: access-list L2LVPN-ENCRYPTIONDOMAIN permit ip 10.1.0.0 255.255.0.0 10.23.1.0 255.255.255.0
  I could test this setup tomorrow at work but let me know if it works out.
  Please rate if it was helpful
  - Jouni

• ASA IPsec Remote Access VPN | NAT Question

  We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
  Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
  We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
  I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
  Thank you.

  Hi,
  This depends on your ASA firewalls software version and partly on its current NAT configurations.
  I presume the following
  Interfaces "inside" and "outside"
  VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
  Software 8.2 and below
  access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
  access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
  static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
  Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
  This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
  Software 8.3 and above
  object network LAN
  subnet 10.0.0.0 255.255.255.0
  object network LAN-VPN
  subnet 192.168.10.0 255.255.255.0
  object-group network VPN-POOL
  subnet 10.10.100.0 255.255.255.0
  nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
  In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
  In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• ASA 5505: Site-to-Site VPN, NAT (Overlap Subnets)

  Greetings all.  I've searched through the forums and have found some similar situations to mine but nothing specific.  I'm hoping this is an easy fix...  :/
  I volunteer for a non-profit medical facility that has an ASA 5505 (v8.4).  They needed a site-to-site VPN to another facility (a Fortinet w/ 10.10.115.0/24) to securly transfer digital X-Ray images.  Very simple setup... the issue is, my 5505 (192.168.1.x) overlaps with another site-to-site VPN connection on the Fortinet side already.  So...
  The network admin on the Fortinet side assinged me 172.31.1.0/24.  I have established a connection but obviously, cannot route anywhere to the other side.  Anyone have any suggestions here, how I might be able to accomplish this - hopefully with a simple NAT setup?
  Thank you in advance everyone.

  Hello Chris,
  For this scenario you will need to create a Policy-NAT rule and then configure the Interesting Traffic with the translated IP address.
  Basically the NAT configuration will be like this:
  object network Local-net
  subnet 192.168.1.0 255.255.255.0
  object network Translated-net
  subnet 172.31.1.0 255.255.255.0
  object network Fortinet-net
  subnet 10.10.115.0 255.255.255.0
  nat (inside,outside) source static Local-net Translated-net destination static Fortinet-net Fortinet-net
  Obviously, you can change the name of the objects.
  Then in the interesting traffic, the ACL that is apply in the crypto map that defines the VPN traffi, you will need to configure it like this:
  access-list anyname permit ip 172.31.1.0 255.255.255.0 10.10.115.0 255.255.255.0
  This should allow you to pass traffic over this tunnel and it will hide your network behind the network that the Fortinet assigned you.
  Let me know if you have any doubts.
  Daniel Moreno
  Please rate any posts you find useful

• ASA rpf-check DROP, ASA checking NAT in the incorrect interface

  Hi
  My current architecture is :
  Internet <--> FW <--> ASA <--> LAN
                        FW <--> ASA
  we have two links between ASA and the FW, the corresponding ASA interfaces are "outside" and "vpn"
  the "outside" interface is used for browsing Internet, also for making some services accessible to our partners by doing NAT to our servers
  the "vpn" interface is used to grant access to our LANs from remote Offices
  let say that firewall rules are OK and the remote offices have access to the whole LAN by port 80
  below the current configuration :
  interface GigabitEthernet0/0
    nameif inside
   security-level 100
   ip address 192.168.1.2 255.255.255.0
  interface GigabitEthernet0/1
   nameif outside
   security-level 0
   ip address 192.168.11.2 255.255.255.0
  interface GigabitEthernet0/2
   nameif vpn
   security-level 0
   ip address 192.168.12.2 255.255.255.0
  object-group network Inside_LANs
   network-object 192.168.3.0 255.255.255.0
   network-object 192.168.4.0 255.255.255.0
   network-object 192.168.5.0 255.255.255.0
  access-list Inside-to-outside extended permit icmp object-group Inside_LANs any echo 
  access-list Inside-to-outside extended permit udp any host TimeServer eq ntp 
  access-list Inside-to-outside extended permit ip object-group Inside_LANs any 
  global (outside) 1 interface
  global (outside) 2 192.168.11.60 netmask 255.255.255.255
  nat (inside) 1 access-list Inside-to-outside
  nat (inside) 2 192.168.6.0 255.255.255.0
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.11 192.168.2.11 netmask 255.255.255.255 
  static (inside,outside) 192.168.11.12 192.168.2.12 netmask 255.255.255.255 
  route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.3.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
  route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
  route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1
  our problem is that packets are dropped from remote office to LAN, we are getting the rpf-check drop in packet tracer
  example 1 (to a server without NAT 192.168.2.13) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.13
  Phase: 5
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match udp inside any inside host TimeServer eq 123
      dynamic translation to pool 1 (No matching global)
      translate_hits = 0, untranslate_hits = 0
  Additional Information:
  example 2 (to a server with static NAT 192.168.2.10) ---> connection OK (not dropped)
  remote office 192.168.20.55 to 192.168.2.10
  Phase: 6
  Type: NAT
  Subtype: host-limits
  Result: ALLOW
  Config:
  static (inside,outside) 192.168.11.10 192.168.2.10 netmask 255.255.255.255 
    match ip inside host 192.168.2.10 outside any
      static translation to 192.168.11.10
      translate_hits = 76643, untranslate_hits = 188597
  Additional Information:
  example 3 (to a host with dynamic ACL NAT 192.168.4.40) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.4.40
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 1 access-list Inside-to-outside
    match ip inside 192.168.4.0 255.255.255.0 vpn any
      dynamic translation to pool 1 (No matching global)
      translate_hits = 1, untranslate_hits = 0
  Additional Information:
  example 4 (to a host with dynamic Network NAT 192.168.6.30) ---> connection NOK (dropped)
  remote office 192.168.20.55 to 192.168.6.30
  Phase: 5
  Type: NAT
  Subtype: rpf-check
  Result: DROP
  Config:
  nat (inside) 2 192.168.6.0 255.255.255.0
    match ip inside 192.168.6.0 255.255.255.0 vpn any
      dynamic translation to pool 2 (No matching global)
      translate_hits = 117, untranslate_hits = 0
  Additional Information:
  our questions :
  1) why ASA don't check the reverse path route before checking the NAT ?
   if it does, the route back to the office is set to the "vpn" interface (route vpn 192.168.20.0 255.255.255.0 192.168.12.1 1), so ASA don't have to check NAT in other interface, currently it's checking the NAT in the "outside" interface even if it's not the route back to the office
  2) why it's working for static NAT servers and Not working for the dynamic NAT ones ?
  when ASA check a server with static NAT it find  a match in the outside interface but even so it discard it and the connection Work. (example 2)
  when ASA check a server/host with dynamic NAT (ACL or Network) if find a match in the outside interface but drop the connection
  3) we know that this behavior can be solved by adding a NAT exception for the dynamic NAT in the "outside" interface (nat (inside) 0 access-list Inside-NAT-Exceptions) but :
  why ASA checking the global NAT even if it's not the correct interface ?
  Why it's working for static NAT and not working for the dynamic one ?
  Thanks a lot

  Hi,
  It would be easier to troubleshoot if you shared the complete "packet-tracer" command you used and the full output of the command.
  But to me the situation in its current form looks the following.
  Example 1
  To me it seems this is working as it should. Connection is coming from "vpn" to "inside". There is no "static" configurations between "vpn" and "inside" and there is no "nat" command for "vpn" interface so the traffic should pass normally without any NAT related conflicts/problems as the traffic does not match any NAT configuration.
  Notice that the ASA might show some unrelated NAT information in the output of the "packet-tracer" command (commands related to other interfaces). In those NAT Phase sections there is a section saying "Additional Information:" If there is no text after this text that means that this NAT has not been applied. I am not sure why the ASA lists some NAT configurations in the output that are not related. I have seen this in many occasions and do not know the reason and I have not really put any time/effort into understanding why it shows the unrelated information in the output.
  Example 2
  This seems to be working as expected also.
  According to the configuration provided there is no existing NAT configurations related to either the source or destination IP address on the ASA between "vpn" and "inside" interface so the traffic passes through the ASA without facing any conflicts with NAT configurations.
  Again, the "packet-tracer" shows NAT information unrelated to this situation. And again the "Additional Information:" section lists no additional information so the NAT listed is not applied.
  Example 3 and 4
  These tests fail as expected since there is a Dynamic Policy PAT configuration for both internal destination hosts that the remote users are trying to connect to. The problem comes from the fact that the initial direction from remote to internal does not match any NAT configuration and the reverse direction from internal to remote matches the Dynamic Policy PAT and therefore the connection attempt is dropped. The connection must match the same NAT configuration on both directions.
  In this situation you would either have to configure NAT0, Static NAT , Static PAT or Static Policy NAT/PAT which all would prevent the connection from matching to the Dynamic Policy PAT (But would match the mentioned type of NAT in both directions as they have higher priority than Dynamic Policy PAT). Typically the prefererred solution would be to use NAT0 though you naturally have the option to use a NAT address if there is any overlap.
  Hope this helps :)
  - Jouni