07-14-2010 11:38 AM
I have two ASA5520's both running 8.04 code.
I have an l2l tunnel between them.
It seems that I am having a problem with Nat exemption.
For some reason the NAT 0 statment will not work. I recieve the "no translation group" error message when trying to pass traffic. However as soon as I add a static NAT entry traffic will pass.
Here is the general layout:
ASA5520 A ASA5520 B
192.168.1.x inside--------------------l2l tunnel------------------192.168.2.x inside
Here is what I have for config.
ASA5520 A:
<----interesting traffic ACL--------->
access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
<----nat exemption ACL--->
access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list no_nat
global (outside) 1 x.x.x.x netmask 255.255.255.255
ASA5520 B:
<----interesting traffic ACL--------->
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
<----nat exemption ACL--->
access-list no_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
The only way I can get traffic to flow through tunnel successfully is if I add static NAT for subnets, so on ASA5520 A I have to add:
static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
and ASA5520B:
static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
At this point traffic will flow even if I remove the no_nat access list.
Anyone have any answers for this?
07-14-2010 02:08 PM
Rod,
Here's a thought (I'm sorry I didn't go over the whole problem properly), previously there were bugs in PIX/ASA under which modifying nat 0 access-lists didn't work. Note that this is 8.0.3 we're talking about.
Can you please try the workaround for this one? Remove nat 0 statements and add them back again.
Marcin
07-14-2010 03:52 PM
Thanks for the reply. I did try your suggestion and it didn't work.
I did however manage to fix it and I think I know why.
On ASA5520 A there is the following:
global (outside) 1 x.x.x.x netmask x.x.x.x
What I didnt post was the nat statements that are tied to this:
nat (inside) 1 10.70.14.43 255.255.255.255
nat (inside) 1 10.70.15.75 255.255.255.255
nat (inside) 1 10.70.15.77 255.255.255.255
nat (inside) 1 10.70.20.32 255.255.255.255
nat (inside) 1 10.70.20.34 255.255.255.255
I had to add the 192.168.1.x statement:
nat (inside) 1 192.168.1.0 255.255.255.0
After I added that, I was able to work without having the static NAT statements in and the Nat Exempt ACL worked.
I may be mistaken but I believe the problem was that without the nat (inside) 1 192.168.1.0 255.255.255.0 the subnet was never being let in the first interface.
07-15-2010 01:23 AM
Rod,
That's odd, do you have nat-control enabled?
Marcin
07-15-2010 08:37 AM
No Nat-Control
I did try enabling it once before during inital t-shooting when I first discovered the problem and it made no difference.
07-15-2010 08:51 AM
Rod,
Please upgrade to 8.0.5 and let's never see it again
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: