03-14-2014 08:12 PM - edited 03-11-2019 08:56 PM
All,
I have an ASA that I downgraded from 9.1(4) to 9.0(3) for the problem I'm about to describe, and it didn't fix it. Here's the deal:
I need to nat over a vpn tunnel. The tunnel works fine, but I cannot ping to/from my internal interface. The nat rule looks like this:
nat (inside,outside) source static LAN-VPN LAN-Translated destination static DSTNetwork DSTNetwork
object network LAN-VPN
subnet 10.20.1.0 255.255.255.0
object network LAN-Translated
subnet 10.40.1.0 255.255.255.0
The inside interface of the ASA is 10.20.1.1. When I ping anything across the vpn tunnel sourced from the inside interface, it times out. If I ping from a server to a server across the vpn, it works fine.
So, I've found route-lookup, but for every example I've found, they're not natting. Also, I can't enable it anyway because it throws an error due to the natting config:
ERROR: Option route-lookup is only allowed for static identity case
How can I enable communications to the inside interface over a natted vpn tunnel. Oh, I have management-access inside enabled already, so that's not it - along with the policy map to perform inspects.
Thanks!
John
03-15-2014 08:17 AM
This generally doesn't work because the rule processing for putting traffic into the VPN happens in part due to the access-list on the inside interface that's associated with the cryptomap for the site-site VPN. If the traffic is initiatied by the interface itself, the access-list never gets considered and thus the traffic is not encapsulated in IPsec and sent via the tunnel.
03-15-2014 09:07 AM
Marvin,
Thanks for the reply. I'm not 100% certain that's what is going on though. I can change the acl to not nat over the tunnel, and it works fine. For example, my real subnet is 10.20.1.0/24, but while going over the vpn I nat to 10.40.1.0/24. If what you're saying was the issue, then technically it wouldn't work even when not natting, correct?
I resolved the issue by not natting, but this isn't a good solution. The problem is that we have a hosted solution for one of our applications. Our vpn sites use a 10.78.x.x/24 subnet whereas the hosted site also uses 10.78.x.x in some cases. We haven't had to yet, but there's the possibility of us standing up a site that they use in the same range, and we've been told that we're going to be the side that has to nat. One thought that I had was that I could nat when only going to that site, and that would very well fix the issue I believe, but if we were to nat everything, then that's going to cause us to not be able to ping the inside interface any longer. There was absolutely nothing that I could do to get this to work other than disabling nat across the tunnel completely.
The only thing that I didn't try was to create a host for my inside interface to do a 1-1 nat instead of relying on the subnet object to do the 1-1 nat for me. I don't know; I'm grasping at straws here...
Thanks!
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: