cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1608
Views
0
Helpful
19
Replies

NAT with 3 Interfaces

rwoerner1
Level 1
Level 1

I wanted to see if something like this would work.

The existing config works fine and works like so:

access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT

global (local1) 30 10.3.90.55

nat (local) 30 access-list remoteT1_AL

This is across 2 local interfaces, because we have a P2P T1 to a client and they're super strict with the IP range they allow, so I have to NAT everything from local to local1. I just dump the IPs I need into the object groups and I'm good to go.

The problem that has just arisen, is we setup a VPN to a new office on the 'public' interface and the users there need to access this P2P T1 network. I want to try to do something like this (see below) and just dump those VPN IPs into the object groups. It didn't work needless to say. Problem is that I have them nat exempt for the VPN, but I obviously need to nat them for this connection. Also, I'm not sure if there is something inherent on the public interface that would make this infeasible to work. If anyone has any insight it would be much appreciated. Thanks in advance!

global (local1) 30 10.3.90.55

nat (local) 30 access-list remoteT1_AL

nat (public) 30 access-list  remoteT1_AL

-Rus

PS: Device is ASA 5510 w/ 8.2(1)11.

19 Replies 19

Hi,

It should work.

Does the public and local1 interfaces have the same security level, because if so, you should manually allow the communication with the same security permit inter-interface command.

When a VPN client tries to access the network on local1, do you see a translation being build?

This will show us if the VPN client terminates on the Firewall, and then gets NATed to the local1 interface.

Federico.

Federico,

Thanks for the reply. The public interface is 0, and both locals are 100. I logged the traffic and there is no NAT being applied. The repeating error is "asymmetric NAT rules mismatched for forward and reverse". Do you think that would have to do with the order the rules are being applied?

-Rus

You will not be able to pass traffic between two interfaces with the same security level unless you have the following command configured:

same security permit inter-interface

Check it out with: sh run same

Federico.

Thanks, I checked it out and that command was in place. I'm able to pass traffic between the 2 local interfaces (same sec level), its just one the remote VPN network tries to nat across to the destination. I think the problem I'm running into is the order the NATs are being applied. I'm just not sure of the direction to head in.

-Rus

Jennifer Halim
Cisco Employee
Cisco Employee

It is not recommended to apply the same access-list "remoteT1_AL" on 2 different NAT statements as follows:

nat (local) 30 access-list remoteT1_AL

nat (public) 30  access-list  remoteT1_AL

Configure a different ACL for "nat (public) 30". I assume that "public" interface has security level 0, and that is the VPN termination interface?

If that is the case, you would need to configure the following instead:

access-list remoteT1-VPN permit ip

nat (public) 30 access-list remoteT1-VPN outside

Remember to "clear xlate" after making all the changes.

There is all ready a ACL doing this for the VPN so that it is tunneled. Also, I didn't really specifiy (my mistake) but it is a L2L VPN. Is it getting angry because I have the ACLs matching the cryptomap, and then the ACL trying to apply this NAT?

Do you have the "outside" keyword on the NAT statement on the public interface?

nat (public) 30 access-list remoteT1-VPN outside

I didn't have the 'outside' keyword on the interface. I added it in but it didn't change the outcome, even after clearing xlate. I ran the packet tracer but that didn't tell me very much. Since this is a VPN connection, would the remote internal IPs be considered public? Or would they be local since its an established VPN?

Sorry, don't quite understand your question.

Please post config, and what you are trying to achieve.

Here is the relevant config I think:

2.2.2.0/24 is our local network for int local

object-group network remoteT1_NAT_local
network-object 1.1.1.0 255.255.255.0

access-list nonat extended permit ip 1.1.1.0 255.255.252.0 2.2.2.0 255.255.255.0
access-list public_cryptomap_1090 extended permit ip 1.1.1.1 255.255.252.0 2.2.2.0 255.255.255.0
access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT
access-list remoteT1_AL_VPN extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT

global (public) 10 interface
global (local1) 30 10.3.90.55
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list  remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0

crypto map public_map 1090 match address public_cryptomap_1090

If nothing stands out there is no need to worry, I'll start trying to figure out a different path. Thanks a ton for your help.

We just need to see what the logs show when the flow breaks.

Post syslogs in debug level.

conf t

logging on

logging buffered debug

exit

sh logg | i x.x.x.x

-KS

Sorry, it looks all wrong. Nothing matches correctly, and still not too sure what you are trying to achieve.

What I understand is VPN traffic terminate on "public" interface (security level 0), and you would like to NAT the VPN remote LAN to 10.3.90.55 when going towards "local1" interface (security level 100). Is this correct?

Please include the remote LAN subnet, local1 subnet, and the crypto ACL. Also, where is your nonat ACL applied? Please also share output of the following:

sh run nat

sh run global

and any access-list associated with the nat statement.

I'm trying to achive what you specified. Right now I NAT to the local1 subnet from the local subnet, but I also need to be able to NAT from the local IPs of the remote VPN network across the IPSec VPN tunnel to the local1

Log output:

5|Apr 13 2010|09:58:22|305013|10.20.2.29||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src public:remoteVPNnetwork dst local1e:remoteT1network (type 8, code 0) denied due to NAT reverse path failure

local & local 1 are sec level 100

public is 0

same-security-traffic permit inter-interface

Crypto ACL:

access-list public_cryptomap_1090 extended permit ip 1.1.1.1  255.255.252.0 2.2.2.0 255.255.255.0

Crypto ACL applied:

crypto map public_map 1090 match address public_cryptomap_1090

sh run nat

nat (local) 0 access-list nonat
nat (local) 40 access-list CHS_AL
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list   remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0
nat (public) 0 access-list public_nat0_inbound outside
nat (public) 5 access-list public_pnat_inbound_V1 outside

global:

global (public) 40 192.168.11.25-192.168.11.28 netmask 255.255.255.0
global (public) 10 interface
global (local1) 30 10.3.90.55

Also, I was using icmp just for logging purposes, but regular tcp traffic has the same effect.

OK, you haven't included all the access-list which are associated with the NAT statement. It's difficult to help if you don't provide the whole picture.

This statement:

nat (public) 0 access-list public_nat0_inbound outside

will take precedence over:

nat (public) 30 access-list   remoteT1_AL_VPN outside

NAT exemption with ACL will take priority therefore, your "nat (public) 30" will never get invoke if the access-list overlaps.

Further to that, you don't have NAT exemption on local1 interface.

Please share the whole config, OR/ provide output of the following:

show run interface

show run route

show access-list

And please confirm, the traffic flow is from "public" interface towards "local1" interface?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: