Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
295
Views
0
Helpful
4
Replies

Unable to ping Internet from host behind ASA

Go to solution
mahesh18
Level 6
Level 6

‎02-09-2014 09:48 AM - edited ‎03-11-2019 08:43 PM

Hi Everyone,

I have config site to site VPN tunnel at home lab.

Setup is below

R1  ----ASA1 ----R2-----R3----ASA2------R4

                                      |

                                      |

                                      R5---------------ISP

From R1 i can ping the IP of R5 but not able to ping the internet address.

Seems this is because i have no nat config for traffic between the site to site VPN for inside interface.

My problem is when i config dynamic NAT for inside network subnet of ASA1 --10.0.0.0/24 then i can not ping across the tunnel from R1 to R4.

ASA1  inside network is 10.0.0.0/24

ASA2  inside network 10.2.0.0/24

R1 IP  10.0.0.2

R4 IP 10.2.0.2

Is there any NAT config i can do that allow ping from R1 to internet and also R1 is able to ping R4 IP 10.2.0.2?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-09-2014 09:54 AM

Hi Mahesh,

For L2L VPN and Client VPN you would typically have a NAT0 configuration at both ASAs that would tell them not to NAT the packets between the LAN networks. You could have the normal Dynamic PAT configuration for any traffic from those networks to the external networks. Since configuring Dynamic PAT for your LAN network causes problems with the L2L VPN connection it means that you have not configured NAT0 proprely or at all.

These would be basic NAT configurations that could be configured on the ASAs if they only have the single LAN network and need NAT0 and Dynamic PAT

ASA1

object-group network LAN

network-object 10.0.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

ASA2

object-group network LAN

network-object 10.2.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

The above configuration would be the only thing needed for NAT0 for the L2L VPN and Dynamic PAT from the network behind the ASA to any external network.

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-09-2014 10:54 AM

Hi,

You didnt have the configuration the way I mentioned it

If you add the Dynamic PAT configuration as Section 1 Manual NAT and also mention the line number "1" then it naturally overrides the NAT0 configuration for the L2L VPN.  If you issued "show run nat" you would see that the Dynamic PAT was now before the NAT0.

I originally suggested configuring the Dynamic PAT as Section 3 Manual NAT so it wont interfere with the NAT0 configuration.

So your above Dynamic PAT should be configured as

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_10.0.0.0_24 interface

The key there is that it has the parameter "after-auto" configured there which makes it a Section 3 Manual NAT. The "after-auto" refers to the rule being after the Auto NAT rules which are the NAT configuration that you configure under the "object" and are positioned in the Section 2 Auto NAT.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-09-2014 09:54 AM

Hi Mahesh,

For L2L VPN and Client VPN you would typically have a NAT0 configuration at both ASAs that would tell them not to NAT the packets between the LAN networks. You could have the normal Dynamic PAT configuration for any traffic from those networks to the external networks. Since configuring Dynamic PAT for your LAN network causes problems with the L2L VPN connection it means that you have not configured NAT0 proprely or at all.

These would be basic NAT configurations that could be configured on the ASAs if they only have the single LAN network and need NAT0 and Dynamic PAT

ASA1

object-group network LAN

network-object 10.0.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

ASA2

object-group network LAN

network-object 10.2.0.0 255.255.255.0

object network REMOTE-LAN

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) after-auto source dynamic LAN interface

The above configuration would be the only thing needed for NAT0 for the L2L VPN and Dynamic PAT from the network behind the ASA to any external network.

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎02-09-2014 10:49 AM

Hi Jouni,

ASA1 had this NAT for Site to Site VPN

nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 destination static NETWORK_OBJ_10.2.0.0_24 NETWORK_OBJ_10.2.0.0_24 no-proxy-arp route-lookup

When i added the below NAT so that i can ping the internet

      nat (inside,outside) 1 source dynamic NETWORK_OBJ_10.0.0.0_24 interface

After this Ping was not working between host R1 and R4 but was working from R1 to any internet site.

Can you please tell me why  ping between VPN hosts was not working?

Is this due to NAT order of operation?

nat (inside,outside) after-auto source dynamic LAN interface

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-09-2014 10:54 AM

Hi,

You didnt have the configuration the way I mentioned it

If you add the Dynamic PAT configuration as Section 1 Manual NAT and also mention the line number "1" then it naturally overrides the NAT0 configuration for the L2L VPN.  If you issued "show run nat" you would see that the Dynamic PAT was now before the NAT0.

I originally suggested configuring the Dynamic PAT as Section 3 Manual NAT so it wont interfere with the NAT0 configuration.

So your above Dynamic PAT should be configured as

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_10.0.0.0_24 interface

The key there is that it has the parameter "after-auto" configured there which makes it a Section 3 Manual NAT. The "after-auto" refers to the rule being after the Auto NAT rules which are the NAT configuration that you configure under the "object" and are positioned in the Section 2 Auto NAT.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎02-09-2014 11:06 AM

Hi Jouni,

Sorry for confusion.

Earlier post was what i did yesterday.

I did not make any changes as you said in your first post.

I was curious to know why my Ping did not work.

Now i will do the changes as you said and it should work.

Best Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card