Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
4
Replies

Nat exemption upsetting routing

tnplenary
Level 1
Level 1

‎09-10-2013 05:29 PM - edited ‎03-11-2019 07:36 PM

Hi Cisco wizards,

I'm having an issue with my NAT exemption on some ASA 5515-Xs running 8.6.There is one rule for nat exemption that is taking internet-bound traffic and sending it back out the inside interface.

nat (inside,any) source static any any destination static Windows_Servers Windows_Servers no-proxy-arp

When this rule is present traffic from servers in the Windows_Servers group destined for the internet is sent back out the internal interface. If I remove this rule, it works, but it is required for VPN functionality.

The thing that puzzles me the most is that the source is Windows_Servers and the destination is any. This is the opposite to the rule. Also, when this rule is in place and causing trouble the counter does not increment when I do a show nat.

Possible solution:

(I only have version 8.4 in the lab, 8.6 is on the customer site. No access at the moment.)

If I take the (inside,any) rule and break it into three rules [(inside,outside),(inside,DMZ),(inside,inside)] and add the route-lookup keyword then internet access works. Does this provide the same functionality?

On 8.6 can I just add the route-lookup keyword to the (inside,any) rule?

I'd be fairly happy if the above solution solved the issue, but I'd feel a whole lot better if I could explain why it happens in the first place.

Labels:
0 Helpful
4 Replies 4

Mike Williams
Level 5
Level 5

‎09-10-2013 08:32 PM

It should work if you add the route-lookup keyword. Normally NAT is processed before routing and that could be causing your problem. The route-lookup keyword forces a routing lookup before processing the NAT.

If that does not fix the issue, please provide your config and the output of a packet-tracer.

Regards,
Mike

Sent from Cisco Technical Support Android App

0 Helpful

tnplenary
Level 1
Level 1
In response to Mike Williams

‎09-10-2013 09:23 PM

Thanks Mike,

I'm reasonably confident that the route-lookup will work, but why is the NAT interfering in the first place? I'm initiating a session from Windows_Servers to any when the NAT rule specifies any to Windows_Servers.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to tnplenary

‎09-10-2013 10:26 PM

Hi,

If the above NAT rule is your VPN NAT0 configuration then I would suggest sticking to actual networks and interface instead of "any"

Lets take for example that you have 2 local and 2 remote networks

object-group network LOCAL

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network REMOTE

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

You are saying that if you remove this rule then VPN doesnt work. So I would assume that the Windows Servers are behind a L2L VPN connection. You also mean that all of their Internet outbound traffic from the Windows Servers gets forwarded to the "inside" interface when this NAT rule is present?

If the above are a correct assumptions then when the traffic is coming from the "outside" from the Windows Servers networks it matches "any" destination address to the "inside" interface. Again one reason why I never used "any" in NAT configurations.

- Jouni

0 Helpful

Mike Williams
Level 5
Level 5

‎09-10-2013 09:32 PM

NAT rules on an ASA work bidirectionally by default.

Regards,
Mike


Sent from Cisco Technical Support Android App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card