cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
868
Views
0
Helpful
4
Replies

NAT order on ASA v8.6

Fergal Meehan
Level 1
Level 1

Hi,

I have built a site to site VPN (ASA1 to ASA2) which works. But!

When the LOCAL network on ASA1 tries to access REMOTE hosts on ASA2 firewall, THAT HAVE STATIC NATs, to public IPs the traffic never gets returned back over the VPN. Basically the traffic always wants to exit the REMOTE ASA on the public NAT address. So I have asynchronous VPN traffic from ASA1 to ASA2.


Running a packet-trace from ASA2 to replicate ASA2 TO ASA1 VPN traffic again the static NAT kicks in.

Despite having the correct NO NAT statements in (remember this works for non static NAT hosts) I can't think what the problem maybe.

The LOCAL ASA was built by me and even there I use static NATs but I write them like the following:

!

object network obj-172.20.176.148

nat (WEBDMZ,OUTSIDE) static 217.114.x.x

!

The REMOTE ASA has it static NATs configured like the following:

!

nat (inside,outside) source static obj-172.30.0.206 obj-86.47.x.x

!

Is there an order of NAT that I should know about in this case or better again can someone explain to me what is happening here and how to allow VPN access from ASA1 to public facing hosts(static NAT) in ASA2.

Thanks

Fergal

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The NAT format you are using on the REMOTE ASA will override ANY other NAT configuration.

You have probably added something like this on the REMOTE ASA to do NAT0 / NAT Exempt

object network LOCAL

subnet

object network REMOTE

subnet

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

If the Static NAT you mention above was created BEFORE this NAT0 then the Static NAT is processed before the new NAT0 configuration and the NAT0 will never be applied to this hosts connection.

In order to resolve this you have atleast 2 options.

  • Remove the current Static NAT that is overriding the NAT0 and configure the Static NAT the same way as on the local ASA. This will make NAT0 kick in before the Static NAT
  • Remove the NAT0 configuration (if you have the above type configuration) then add it again WITH an order/line number mentioned below

nat (inside,outside) 1 source static LOCAL LOCAL destination static REMOTE REMOTE

Notice that we added the number "1" in the command. What this basically means that this rule will be inserted at the very top of ALL the NAT rules on the ASA. Therefore it will get matched before the Static NAT.

If you want to read about the new 8.3+ NAT format then you could take a look at a document I wrote here on the CSC. It gives a better explanation on the ordering of the NAT configurations.

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The NAT format you are using on the REMOTE ASA will override ANY other NAT configuration.

You have probably added something like this on the REMOTE ASA to do NAT0 / NAT Exempt

object network LOCAL

subnet

object network REMOTE

subnet

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

If the Static NAT you mention above was created BEFORE this NAT0 then the Static NAT is processed before the new NAT0 configuration and the NAT0 will never be applied to this hosts connection.

In order to resolve this you have atleast 2 options.

  • Remove the current Static NAT that is overriding the NAT0 and configure the Static NAT the same way as on the local ASA. This will make NAT0 kick in before the Static NAT
  • Remove the NAT0 configuration (if you have the above type configuration) then add it again WITH an order/line number mentioned below

nat (inside,outside) 1 source static LOCAL LOCAL destination static REMOTE REMOTE

Notice that we added the number "1" in the command. What this basically means that this rule will be inserted at the very top of ALL the NAT rules on the ASA. Therefore it will get matched before the Static NAT.

If you want to read about the new 8.3+ NAT format then you could take a look at a document I wrote here on the CSC. It gives a better explanation on the ordering of the NAT configurations.

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Jouni,

You're a legend. I have my confidence back now as I was beginning doubt my understanding of it.

I've created the correct STATIC NAT config for one server on the REMOTE ASA2 but have yet to do a clear xlate. My hands are tied as this is a live environment but thanks again for your clarity.

Fergal

Does the NAT configuration determine whether or not the actual tunnel will come up between two ASAs?

Hi,

Atleast when you initiate a connection from behind the local ASA and if the NAT rules are either not configured or the traffic destined to the remote network hits a wrong NAT rule it will mean that the packet wont match any VPN rule and therefore the VPN negotiation wont even start.

I would imagine that if the local ASA had a missing NAT configuration or a NAT configured in a wrong way, it would still be possible to negotiate the VPN up from the remote site.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: