I'm having an issue with my NAT exemption on some ASA 5515-Xs running 8.6.There is one rule for nat exemption that is taking internet-bound traffic and sending it back out the inside interface.
nat (inside,any) source static any any destination static Windows_Servers Windows_Servers no-proxy-arp
When this rule is present traffic from servers in the Windows_Servers group destined for the internet is sent back out the internal interface. If I remove this rule, it works, but it is required for VPN functionality.
The thing that puzzles me the most is that the source is Windows_Servers and the destination is any. This is the opposite to the rule. Also, when this rule is in place and causing trouble the counter does not increment when I do a show nat.
(I only have version 8.4 in the lab, 8.6 is on the customer site. No access at the moment.)
If I take the (inside,any) rule and break it into three rules [(inside,outside),(inside,DMZ),(inside,inside)] and add the route-lookup keyword then internet access works. Does this provide the same functionality?
On 8.6 can I just add the route-lookup keyword to the (inside,any) rule?
I'd be fairly happy if the above solution solved the issue, but I'd feel a whole lot better if I could explain why it happens in the first place.
It should work if you add the route-lookup keyword. Normally NAT is processed before routing and that could be causing your problem. The route-lookup keyword forces a routing lookup before processing the NAT.
If that does not fix the issue, please provide your config and the output of a packet-tracer.
I'm reasonably confident that the route-lookup will work, but why is the NAT interfering in the first place? I'm initiating a session from Windows_Servers to any when the NAT rule specifies any to Windows_Servers.
If the above NAT rule is your VPN NAT0 configuration then I would suggest sticking to actual networks and interface instead of "any"
Lets take for example that you have 2 local and 2 remote networks
object-group network LOCAL
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network REMOTE
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
You are saying that if you remove this rule then VPN doesnt work. So I would assume that the Windows Servers are behind a L2L VPN connection. You also mean that all of their Internet outbound traffic from the Windows Servers gets forwarded to the "inside" interface when this NAT rule is present?
If the above are a correct assumptions then when the traffic is coming from the "outside" from the Windows Servers networks it matches "any" destination address to the "inside" interface. Again one reason why I never used "any" in NAT configurations.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :