I have built a site to site VPN (ASA1 to ASA2) which works. But!
When the LOCAL network on ASA1 tries to access REMOTE hosts on ASA2 firewall, THAT HAVE STATIC NATs, to public IPs the traffic never gets returned back over the VPN. Basically the traffic always wants to exit the REMOTE ASA on the public NAT address. So I have asynchronous VPN traffic from ASA1 to ASA2.
Running a packet-trace from ASA2 to replicate ASA2 TO ASA1 VPN traffic again the static NAT kicks in.
Despite having the correct NO NAT statements in (remember this works for non static NAT hosts) I can't think what the problem maybe.
The LOCAL ASA was built by me and even there I use static NATs but I write them like the following:
object network obj-172.20.176.148
nat (WEBDMZ,OUTSIDE) static 217.114.x.x
The REMOTE ASA has it static NATs configured like the following:
nat (inside,outside) source static obj-172.30.0.206 obj-86.47.x.x
Is there an order of NAT that I should know about in this case or better again can someone explain to me what is happening here and how to allow VPN access from ASA1 to public facing hosts(static NAT) in ASA2.
The NAT format you are using on the REMOTE ASA will override ANY other NAT configuration.
You have probably added something like this on the REMOTE ASA to do NAT0 / NAT Exempt
object network LOCAL
object network REMOTE
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
If the Static NAT you mention above was created BEFORE this NAT0 then the Static NAT is processed before the new NAT0 configuration and the NAT0 will never be applied to this hosts connection.
In order to resolve this you have atleast 2 options.
- Remove the current Static NAT that is overriding the NAT0 and configure the Static NAT the same way as on the local ASA. This will make NAT0 kick in before the Static NAT
- Remove the NAT0 configuration (if you have the above type configuration) then add it again WITH an order/line number mentioned below
nat (inside,outside) 1 source static LOCAL LOCAL destination static REMOTE REMOTE
Notice that we added the number "1" in the command. What this basically means that this rule will be inserted at the very top of ALL the NAT rules on the ASA. Therefore it will get matched before the Static NAT.
If you want to read about the new 8.3+ NAT format then you could take a look at a document I wrote here on the CSC. It gives a better explanation on the ordering of the NAT configurations.
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed