07-14-2010 11:38 AM
I have two ASA5520's both running 8.04 code.
I have an l2l tunnel between them.
It seems that I am having a problem with Nat exemption.
For some reason the NAT 0 statment will not work. I recieve the "no translation group" error message when trying to pass traffic. However as soon as I add a static NAT entry traffic will pass.
Here is the general layout:
ASA5520 A ASA5520 B
192.168.1.x inside--------------------l2l tunnel------------------192.168.2.x inside
Here is what I have for config.
ASA5520 A:
<----interesting traffic ACL--------->
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
<----nat exemption ACL--->
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
global (outside) 1 x.x.x.x netmask 255.255.255.255
ASA5520 B:
<----interesting traffic ACL--------->
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
<----nat exemption ACL--->
access-list no_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
The only way I can get traffic to flow through tunnel successfully is if I add static NAT for subnets, so on ASA5520 A I have to add:
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
and ASA5520B:
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
At this point traffic will flow even if I remove the no_nat access list.
Anyone have any answers for this?
07-14-2010 02:08 PM
Rod,
Here's a thought (I'm sorry I didn't go over the whole problem properly), previously there were bugs in PIX/ASA under which modifying nat 0 access-lists didn't work. Note that this is 8.0.3 we're talking about.
Can you please try the workaround for this one? Remove nat 0 statements and add them back again.
Marcin
07-14-2010 03:52 PM
Thanks for the reply. I did try your suggestion and it didn't work.
I did however manage to fix it and I think I know why.
On ASA5520 A there is the following:
global (outside) 1 x.x.x.x netmask x.x.x.x
What I didnt post was the nat statements that are tied to this:
nat (inside) 1 10.70.14.43 255.255.255.255
nat (inside) 1 10.70.15.75 255.255.255.255
nat (inside) 1 10.70.15.77 255.255.255.255
nat (inside) 1 10.70.20.32 255.255.255.255
nat (inside) 1 10.70.20.34 255.255.255.255
I had to add the 192.168.1.x statement:
nat (inside) 1 192.168.1.0 255.255.255.0
After I added that, I was able to work without having the static NAT statements in and the Nat Exempt ACL worked.
I may be mistaken but I believe the problem was that without the nat (inside) 1 192.168.1.0 255.255.255.0 the subnet was never being let in the first interface.
07-15-2010 01:23 AM
Rod,
That's odd, do you have nat-control enabled?
Marcin
07-15-2010 08:37 AM
No Nat-Control
I did try enabling it once before during inital t-shooting when I first discovered the problem and it made no difference.
07-15-2010 08:51 AM
Rod,
Please upgrade to 8.0.5 and let's never see it again
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide