NAT 0 not working for VPN l2l tunnel

ROD FRANKLIN · ‎07-14-2010

I have two ASA5520's both running 8.04 code.

I have an l2l tunnel between them.

It seems that I am having a problem with Nat exemption.

For some reason the NAT 0 statment will not work. I recieve the "no translation group" error message when trying to pass traffic. However as soon as I add a static NAT entry traffic will pass.

Here is the general layout:

ASA5520 A ASA5520 B

192.168.1.x inside--------------------l2l tunnel------------------192.168.2.x inside

Here is what I have for config.

ASA5520 A:

<----interesting traffic ACL--------->

access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

<----nat exemption ACL--->

access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list no_nat

global (outside) 1 x.x.x.x netmask 255.255.255.255

ASA5520 B:

<----interesting traffic ACL--------->

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

<----nat exemption ACL--->

access-list no_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

The only way I can get traffic to flow through tunnel successfully is if I add static NAT for subnets, so on ASA5520 A I have to add:

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

and ASA5520B:

static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

At this point traffic will flow even if I remove the no_nat access list.

Anyone have any answers for this?

Marcin Latosiewicz · ‎07-14-2010

Rod,

Here's a thought (I'm sorry I didn't go over the whole problem properly), previously there were bugs in PIX/ASA under which modifying nat 0 access-lists didn't work. Note that this is 8.0.3 we're talking about.

Can you please try the workaround for this one? Remove nat 0 statements and add them back again.

Marcin

ROD FRANKLIN · ‎07-14-2010

Thanks for the reply. I did try your suggestion and it didn't work.

I did however manage to fix it and I think I know why.

On ASA5520 A there is the following:

global (outside) 1 x.x.x.x netmask x.x.x.x

What I didnt post was the nat statements that are tied to this:

nat (inside) 1 10.70.14.43 255.255.255.255
nat (inside) 1 10.70.15.75 255.255.255.255
nat (inside) 1 10.70.15.77 255.255.255.255
nat (inside) 1 10.70.20.32 255.255.255.255
nat (inside) 1 10.70.20.34 255.255.255.255

I had to add the 192.168.1.x statement:

nat (inside) 1 192.168.1.0 255.255.255.0

After I added that, I was able to work without having the static NAT statements in and the Nat Exempt ACL worked.

I may be mistaken but I believe the problem was that without the nat (inside) 1 192.168.1.0 255.255.255.0 the subnet was never being let in the first interface.

Marcin Latosiewicz · ‎07-15-2010

Rod,

That's odd, do you have nat-control enabled?

Marcin

ROD FRANKLIN · ‎07-15-2010

No Nat-Control

I did try enabling it once before during inital t-shooting when I first discovered the problem and it made no difference.

Marcin Latosiewicz · ‎07-15-2010

Rod,

Please upgrade to 8.0.5 and let's never see it again

Marcin