NAT order on ASA v8.6

Answered Question
Jul 18th, 2013
User Badges:

Hi,


I have built a site to site VPN (ASA1 to ASA2) which works. But!


When the LOCAL network on ASA1 tries to access REMOTE hosts on ASA2 firewall, THAT HAVE STATIC NATs, to public IPs the traffic never gets returned back over the VPN. Basically the traffic always wants to exit the REMOTE ASA on the public NAT address. So I have asynchronous VPN traffic from ASA1 to ASA2.


Running a packet-trace from ASA2 to replicate ASA2 TO ASA1 VPN traffic again the static NAT kicks in.


Despite having the correct NO NAT statements in (remember this works for non static NAT hosts) I can't think what the problem maybe.


The LOCAL ASA was built by me and even there I use static NATs but I write them like the following:

!

object network obj-172.20.176.148

nat (WEBDMZ,OUTSIDE) static 217.114.x.x

!


The REMOTE ASA has it static NATs configured like the following:

!

nat (inside,outside) source static obj-172.30.0.206 obj-86.47.x.x

!


Is there an order of NAT that I should know about in this case or better again can someone explain to me what is happening here and how to allow VPN access from ASA1 to public facing hosts(static NAT) in ASA2.





Thanks

Fergal

Correct Answer by Jouni Forss about 4 years 1 month ago

Hi,


The NAT format you are using on the REMOTE ASA will override ANY other NAT configuration.


You have probably added something like this on the REMOTE ASA to do NAT0 / NAT Exempt


object network LOCAL

subnet


object network REMOTE

subnet


nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE


If the Static NAT you mention above was created BEFORE this NAT0 then the Static NAT is processed before the new NAT0 configuration and the NAT0 will never be applied to this hosts connection.


In order to resolve this you have atleast 2 options.

  • Remove the current Static NAT that is overriding the NAT0 and configure the Static NAT the same way as on the local ASA. This will make NAT0 kick in before the Static NAT
  • Remove the NAT0 configuration (if you have the above type configuration) then add it again WITH an order/line number mentioned below


nat (inside,outside) 1 source static LOCAL LOCAL destination static REMOTE REMOTE


Notice that we added the number "1" in the command. What this basically means that this rule will be inserted at the very top of ALL the NAT rules on the ASA. Therefore it will get matched before the Static NAT.


If you want to read about the new 8.3+ NAT format then you could take a look at a document I wrote here on the CSC. It gives a better explanation on the ordering of the NAT configurations.



https://supportforums.cisco.com/docs/DOC-31116


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Thu, 07/18/2013 - 05:59
User Badges:
  • Super Bronze, 10000 points or more

Hi,


The NAT format you are using on the REMOTE ASA will override ANY other NAT configuration.


You have probably added something like this on the REMOTE ASA to do NAT0 / NAT Exempt


object network LOCAL

subnet


object network REMOTE

subnet


nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE


If the Static NAT you mention above was created BEFORE this NAT0 then the Static NAT is processed before the new NAT0 configuration and the NAT0 will never be applied to this hosts connection.


In order to resolve this you have atleast 2 options.

  • Remove the current Static NAT that is overriding the NAT0 and configure the Static NAT the same way as on the local ASA. This will make NAT0 kick in before the Static NAT
  • Remove the NAT0 configuration (if you have the above type configuration) then add it again WITH an order/line number mentioned below


nat (inside,outside) 1 source static LOCAL LOCAL destination static REMOTE REMOTE


Notice that we added the number "1" in the command. What this basically means that this rule will be inserted at the very top of ALL the NAT rules on the ASA. Therefore it will get matched before the Static NAT.


If you want to read about the new 8.3+ NAT format then you could take a look at a document I wrote here on the CSC. It gives a better explanation on the ordering of the NAT configurations.



https://supportforums.cisco.com/docs/DOC-31116


Hope this helps


Please do remember to mark a reply as the correct answer if it answered your question.


Feel free to ask more if needed


- Jouni

Fergal Meehan Thu, 07/18/2013 - 06:23
User Badges:

Jouni,


You're a legend. I have my confidence back now as I was beginning doubt my understanding of it.


I've created the correct STATIC NAT config for one server on the REMOTE ASA2 but have yet to do a clear xlate. My hands are tied as this is a live environment but thanks again for your clarity.



Fergal

t.sharman Fri, 07/19/2013 - 06:34
User Badges:

Does the NAT configuration determine whether or not the actual tunnel will come up between two ASAs?

Jouni Forss Fri, 07/19/2013 - 08:42
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Atleast when you initiate a connection from behind the local ASA and if the NAT rules are either not configured or the traffic destined to the remote network hits a wrong NAT rule it will mean that the packet wont match any VPN rule and therefore the VPN negotiation wont even start.


I would imagine that if the local ASA had a missing NAT configuration or a NAT configured in a wrong way, it would still be possible to negotiate the VPN up from the remote site.


- Jouni

Actions

This Discussion

Related Content