04-09-2010 12:30 PM - edited 03-11-2019 10:31 AM
I wanted to see if something like this would work.
The existing config works fine and works like so:
access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT
global (local1) 30 10.3.90.55
nat (local) 30 access-list remoteT1_AL
This is across 2 local interfaces, because we have a P2P T1 to a client and they're super strict with the IP range they allow, so I have to NAT everything from local to local1. I just dump the IPs I need into the object groups and I'm good to go.
The problem that has just arisen, is we setup a VPN to a new office on the 'public' interface and the users there need to access this P2P T1 network. I want to try to do something like this (see below) and just dump those VPN IPs into the object groups. It didn't work needless to say. Problem is that I have them nat exempt for the VPN, but I obviously need to nat them for this connection. Also, I'm not sure if there is something inherent on the public interface that would make this infeasible to work. If anyone has any insight it would be much appreciated. Thanks in advance!
global (local1) 30 10.3.90.55
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL
-Rus
PS: Device is ASA 5510 w/ 8.2(1)11.
04-09-2010 12:54 PM
Hi,
It should work.
Does the public and local1 interfaces have the same security level, because if so, you should manually allow the communication with the same security permit inter-interface command.
When a VPN client tries to access the network on local1, do you see a translation being build?
This will show us if the VPN client terminates on the Firewall, and then gets NATed to the local1 interface.
Federico.
04-12-2010 05:47 AM
Federico,
Thanks for the reply. The public interface is 0, and both locals are 100. I logged the traffic and there is no NAT being applied. The repeating error is "asymmetric NAT rules mismatched for forward and reverse". Do you think that would have to do with the order the rules are being applied?
-Rus
04-12-2010 05:52 AM
You will not be able to pass traffic between two interfaces with the same security level unless you have the following command configured:
same security permit inter-interface
Check it out with: sh run same
Federico.
04-12-2010 06:06 AM
Thanks, I checked it out and that command was in place. I'm able to pass traffic between the 2 local interfaces (same sec level), its just one the remote VPN network tries to nat across to the destination. I think the problem I'm running into is the order the NATs are being applied. I'm just not sure of the direction to head in.
-Rus
04-12-2010 05:58 AM
It is not recommended to apply the same access-list "remoteT1_AL" on 2 different NAT statements as follows:
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL
Configure a different ACL for "nat (public) 30". I assume that "public" interface has security level 0, and that is the VPN termination interface?
If that is the case, you would need to configure the following instead:
access-list remoteT1-VPN permit ip
nat (public) 30 access-list remoteT1-VPN outside
Remember to "clear xlate" after making all the changes.
04-12-2010 06:28 AM
There is all ready a ACL doing this for the VPN so that it is tunneled. Also, I didn't really specifiy (my mistake) but it is a L2L VPN. Is it getting angry because I have the ACLs matching the cryptomap, and then the ACL trying to apply this NAT?
04-12-2010 06:40 AM
Do you have the "outside" keyword on the NAT statement on the public interface?
nat (public) 30 access-list remoteT1-VPN outside
04-12-2010 11:03 AM
I didn't have the 'outside' keyword on the interface. I added it in but it didn't change the outcome, even after clearing xlate. I ran the packet tracer but that didn't tell me very much. Since this is a VPN connection, would the remote internal IPs be considered public? Or would they be local since its an established VPN?
04-13-2010 03:54 AM
Sorry, don't quite understand your question.
Please post config, and what you are trying to achieve.
04-13-2010 04:29 AM
Here is the relevant config I think:
2.2.2.0/24 is our local network for int local
object-group network remoteT1_NAT_local
network-object 1.1.1.0 255.255.255.0
access-list nonat extended permit ip 1.1.1.0 255.255.252.0 2.2.2.0 255.255.255.0
access-list public_cryptomap_1090 extended permit ip 1.1.1.1 255.255.252.0 2.2.2.0 255.255.255.0
access-list remoteT1_AL extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT
access-list remoteT1_AL_VPN extended permit ip object-group remoteT1_NAT_local object-group remoteT1_NAT
global (public) 10 interface
global (local1) 30 10.3.90.55
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0
crypto map public_map 1090 match address public_cryptomap_1090
If nothing stands out there is no need to worry, I'll start trying to figure out a different path. Thanks a ton for your help.
04-13-2010 04:37 AM
We just need to see what the logs show when the flow breaks.
Post syslogs in debug level.
conf t
logging on
logging buffered debug
exit
sh logg | i x.x.x.x
-KS
04-13-2010 04:49 AM
Sorry, it looks all wrong. Nothing matches correctly, and still not too sure what you are trying to achieve.
What I understand is VPN traffic terminate on "public" interface (security level 0), and you would like to NAT the VPN remote LAN to 10.3.90.55 when going towards "local1" interface (security level 100). Is this correct?
Please include the remote LAN subnet, local1 subnet, and the crypto ACL. Also, where is your nonat ACL applied? Please also share output of the following:
sh run nat
sh run global
and any access-list associated with the nat statement.
04-13-2010 07:57 AM
I'm trying to achive what you specified. Right now I NAT to the local1 subnet from the local subnet, but I also need to be able to NAT from the local IPs of the remote VPN network across the IPSec VPN tunnel to the local1
Log output:
5|Apr 13 2010|09:58:22|305013|10.20.2.29||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src public:remoteVPNnetwork dst local1e:remoteT1network (type 8, code 0) denied due to NAT reverse path failure
local & local 1 are sec level 100
public is 0
same-security-traffic permit inter-interface
Crypto ACL:
access-list public_cryptomap_1090 extended permit ip 1.1.1.1 255.255.252.0 2.2.2.0 255.255.255.0
Crypto ACL applied:
crypto map public_map 1090 match address public_cryptomap_1090
sh run nat
nat (local) 0 access-list nonat
nat (local) 40 access-list CHS_AL
nat (local) 30 access-list remoteT1_AL
nat (public) 30 access-list remoteT1_AL_VPN outside
nat (local) 10 0.0.0.0 0.0.0.0
nat (public) 0 access-list public_nat0_inbound outside
nat (public) 5 access-list public_pnat_inbound_V1 outside
global:
global (public) 40 192.168.11.25-192.168.11.28 netmask 255.255.255.0
global (public) 10 interface
global (local1) 30 10.3.90.55
Also, I was using icmp just for logging purposes, but regular tcp traffic has the same effect.
04-14-2010 06:06 AM
OK, you haven't included all the access-list which are associated with the NAT statement. It's difficult to help if you don't provide the whole picture.
This statement:
nat (public) 0 access-list public_nat0_inbound outside
will take precedence over:
nat (public) 30 access-list remoteT1_AL_VPN outside
NAT exemption with ACL will take priority therefore, your "nat (public) 30" will never get invoke if the access-list overlaps.
Further to that, you don't have NAT exemption on local1 interface.
Please share the whole config, OR/ provide output of the following:
show run interface
show run route
show access-list
And please confirm, the traffic flow is from "public" interface towards "local1" interface?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: