Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Can perform 'policy NAT' but VPNs not work

Hello,

I've got a tough one, so any help would be greatly appreciated.

I'm implementing a new network for hosting customers. Each new customer will have their own public routable subnet.

The ASA5525X firewall needs to have multiple default static routes to the Internet via each public next hop IP address

           

route hostcust01-outside   0.0.0.0 0.0.0.0    195.119.10.14   1

route hostcust02-outside   0.0.0.0 0.0.0.0    195.119.10.22   2    (I've hidden the real IP addresses)

ah the ASA doesn't support policy based routing I hear you say, but it does if these NAT statements are added

object network hostcust01-outside-PAT

host 195.119.10.13

object network hostcust01-outside-PAT

host 195.119.10.21

object network hostcust01-inside

subnet 10.1.201.0 255.255.255.0

object network hostcust02-inside

subnet 10.1.202.0 255.255.255.0

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside

This works very well, packets from 10.1.201.x egress via host01-outside interface , and packets from 10.1.202.X egress using host02-outside interface

It performs a kind of inverse NAT translation, outside,inside, to ensure the correct egress interface is used in the NAT table and overrides any route lookup (I think)

The problem comes when adding a VPN identify NAT

nat (hostcust02-inside,hostcust02-outside) source static host-cust02-inside  host-cust02-inside destination static remote_192.168.101.0_24 remote_192.168.101.0_24 no-proxy-arp route-lookup

This VPN identity NAT is higher in the list than the other after-autos but the ASA doesn't want to use it, instead uses that other NAT

Packet tracer shows this

NGD-HE-FW1# packet-tracer input hostcust02-inside icmp 10.1.202.10 1 8 192.168.101.10 detail

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

Additional Information:

NAT divert to egress interface hostcust02-outside

Untranslate 192.168.101.10/0 to 192.168.101.10/0

(CAN I STOP IT USING THIS NAT EVEN THOUGH ITS THE LOWEST ONE IN THE NAT LIST  ???)

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group hostcust02-inside in interface hostcust02-inside

access-list hostcust02-inside extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379c9ed0, priority=13, domain=permit, deny=false

        hits=3390, user_data=0x7fff2fee9d80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379e64d0, priority=0, domain=inspect-ip-options, deny=true

        hits=3429, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff379e5ef0, priority=66, domain=inspect-icmp-error, deny=false

        hits=1557, user_data=0x7fff379b6db0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 5

Type: DEBUG-ICMP

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff3813f510, priority=13, domain=debug-icmp-trace, deny=false

        hits=1557, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=any

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (hostcust02-inside,hostcust02-outside) source static host-cust02-internal-10.1.202.0 host-cust02-internal-10.1.202.0 destination static cust-02-remote01_192.168.101.0_24 cust-02-remote01_192.168.101.0_24 no-proxy-arp route-lookup

Additional Information:

Static translate 10.1.202.10/0 to 195.119.10.13/0                               ........................(PAT USED BUT NOT WANTED FOR VPN)

Forward Flow based lookup yields rule:

in  id=0x7fff388b7230, priority=6, domain=nat, deny=false

        hits=1, user_data=0x7fff38001e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.202.0, mask=255.255.255.0, port=0

        dst ip/id=192.168.101.0, mask=255.255.255.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=hostcust02-outside

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff37925ce0, priority=6, domain=nat-reverse, deny=false

        hits=12, user_data=0x7fff3841fc00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.202.0, mask=255.255.255.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=hostcust02-inside, output_ifc=hostcust02-outside

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12124, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_dbg_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: hostcust02-inside

input-status: up

input-line-status: up

output-interface: hostcust02-outside    ............  CORRECT INTERFACE USED BUT NO VPN TUNNEL OR EVEN CRYPTO ACL USED !!

output-status: up

output-line-status: up

Action: allow

Any ideas, I didn't design it, I'm only trying to get it to work.

Regards Tony

  • VPN
Everyone's tags (4)
17 REPLIES
Super Bronze

ASA Can perform 'policy NAT' but VPNs not work

Hi,

There was a similiar question on the Firewall section but was related to having 3 ISP links and forwarding different LAN networks out different ISPs.

So to copy/paste some of the things I posted there then I guess you could try changing the existing NAT configurations a bit and seeing if that changes how the configurations match.

object network ANY-0.0.0.0-1

subnet 0.0.0.0 128.0.0.0

object network ANY-128.0.0.0-1

subnet 128.0.0.0 128.0.0.0

object-group network ALL

network-object object ANY-0.0.0.0-1

network-object object ANY-128.0.0.0-1

nat (hostcust01-inside,hostcust01-outside) after-auto source dynamic hostcust01-inside hostcust01-outside-PAT destination static ALL ALL

nat (hostcust02-inside,hostcust02-outside) after-auto source dynamic  hostcust02-inside hostcust02-outside-PAT destination static ALL ALL

And use the same NAT0 configuration for VPN.

I am not sure if your current environment is in production use yet. The above configuration essentially says that any traffic from those source networks will get Dynamic PAT to the specified public IP address and forwarded through the specified external interface no matter what the destination IP address is. Higher priority NAT configurations should override these though.

The discussion I just posted can be found here:

https://supportforums.cisco.com/thread/2264406?tstart=0

- Jouni

New Member

ASA Can perform 'policy NAT' but VPNs not work

Hi Jouni,

Many thanks for the speedy reply, alas I had initially tried this method but it conflicted with whatever IP addresses I used for the LAN failover interfaces, when deploying active/standby ASAs

It displays an error saying   "NAT policy clashed with 1.1.1.1 on failover interface, and can not be downloaded", or something. I guess its related to the ALL object.

I think the guys who did this were not using an HA pair

Thanks though, much appreciated

Regards Tony

Super Bronze

ASA Can perform 'policy NAT' but VPNs not work

Hi,

I have actually not tried this with a Failover pair. Good to know of this limitation. Or I am not sure if its good thing but atleast I know it now

I am not sure I can see any way around the problem with the Failover at the moment. Especially when you cant exclude a network in the configuration which in some cases (to my understanding) was possible with the old NAT format using ACLs.

- Jouni

New Member

ASA Can perform 'policy NAT' but VPNs not work

Yes, thanks again Jouni

I tried policy NAT and changing the source address so they were out of the inside range, if you follow, but that didn't work either.

I may open  TAC and see if they have any ideas.

I can see the customer getting annoyed if he can't offer VPN capability to his hosted customers!!!!

Cheers Tony

Super Bronze

ASA Can perform 'policy NAT' but VPNs not work

Hmm,

I wonder why the ASA doesnt accept this. I am not sure why the Failover link would be an issue as to my understanding that is "from the box" and "to the box" traffic.

Though I was thinking and was wondering if the following could be a solution.

As the Failover link not a network that any other device in the network needs to know about how about if you configure the Failover link as 1.0.0.1 255.255.255.252 for example

Then configure this

object-group network ALL

network-object 2.0.0.0 254.0.0.0

network-object 4.0.0.0 252.0.0.0

network-object 8.0.0.0 248.0.0.0

network-object 16.0.0.0 240.0.0.0

network-object 32.0.0.0 224.0.0.0

network-object 64.0.0.0 192.0.0.0

network-object 128.0.0.0 128.0.0.0

and use it in the NAT configurations.

Naturally could be even more specific to really narrow it down to EVERYTHING but the Failover link subnet.

Let me know if this makes any difference.

Hope this helps

- Jouni

New Member

ASA Can perform 'policy NAT' but VPNs not work

Good Morning Jouni (morning here in the UK, not sure where you are mate)

Thanks again for your input though

I tried adding the policy NAT you suggested but limited it to the customer 2 NAT only, as I need the customer 1 NAT untouched as this is my remote access in.

The NAT didn't work when I added it in, traffic defaulted to the first egress interface used for customer 1. :-/

The network is in semi-production, the hosted customer 2 being a little tolerant of the odd outage. 

So I'm back to this, which works for general Internet 'policy' NAT but not identity NAT (nonat for VPN)

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside

BTW - for info, I'm using IOS 8.6.(1).2  I found version 9.1 did not support it at all !!

Cheers Tony

Super Bronze

Re: ASA Can perform 'policy NAT' but VPNs not work

Hi,

So you are using one of the first software levels for the new ASA5500-X series. Don't really have much expirience of its behaviour since we have several ASA5585-X which were released before the new ASA5500-X Series so they are running the latest 8.4 software levels.

I have also only used 9.x series software only for personal testing purposes. Mainly to answer questions here.

There has been some bugs related to the NAT where the ASA simply doesnt follow the NAT order at all.

I decided to do a quick test on my home ASA5505 running 8.4(5)

What I noticed is that for some reason unknown to me if I configured the Dynamic PAT for the specific external interface with the "object-group network ALL" in Section 3 Manual NAT it simply would not follow the NAT configuration at all. It for example didnt match the destination address UN-NAT that it should do but actually decided to follow the routing table.

I just decided to move the rule to Section 1 Manual NAT and the behaviour changed.

To my understanding the only difference with Section 1 and Section 3 Manual NAT is just that the matching order is different but the operation otherwise the same. This seems to indicate something else or perhaps a bug.

So my very simple home ASA NAT configuration at the monent

object network LAN

subnet 10.0.0.0 255.255.255.0

object network VPN-POOL

subnet 10.0.1.0 255.255.255.0

object network HOST

host 10.0.0.123

object-group network ALL

network-object 2.0.0.0 254.0.0.0

network-object 4.0.0.0 252.0.0.0

network-object 8.0.0.0 248.0.0.0

network-object 16.0.0.0 240.0.0.0

network-object 32.0.0.0 224.0.0.0

network-object 64.0.0.0 192.0.0.0

network-object 128.0.0.0 128.0.0.0

object-group network LAN-NETWORK

network-object 10.0.0.0 255.255.255.0

Lets first look at the NAT configuration I had originally to match yours. Not completely though as I have configure the NAT from LAN to WAN rather than WAN to LAN which might have some effect also on the behaviour.

nat (LAN,WAN) source static LAN LAN destination static VPN-POOL VPN-POOL

!

nat (LAN,WLAN) after-auto source dynamic HOST interface destination static ALL ALL

nat (any,WAN) after-auto source dynamic LAN-NETWORK interface

As you can see I have the NAT configuration for VPN Client first and then I have the special NAT configuration though for testing purposes I simply try to divert single hosts all traffic towards my WLAN interface while it could as well be some other WAN interface.

Now if I run a "packet-tracer" with the source address of HOST and destination to 8.8.8.8 for example this happens

ASA(config)# packet-tracer input LAN tcp 10.0.0.123 12345 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         WAN

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (any,WAN) after-auto source dynamic LAN-NETWORK interface

Additional Information:

Dynamic translate 10.0.0.123/12345 to x.x.x.x/12345

So as you can see no UN-NAT Phase, just a route lookup and translation matches to the default Dynamic PAT I have configured even though the NAT configuration is clearly first in Section 3

Now I change the NAT configuration

nat (LAN,WAN) source static LAN LAN destination static VPN-POOL VPN-POOL

nat (LAN,WLAN) source dynamic HOST interface destination static ALL ALL

!

nat (any,WAN) after-auto source dynamic LAN-NETWORK interface

Now again the same "packet-tracer" test

ASA(config)# packet-tracer input LAN tcp 10.0.0.123 12345 8.8.8.8 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WLAN) source dynamic HOST interface destination static ALL ALL

Additional Information:

NAT divert to egress interface WLAN

Untranslate 8.8.8.8/80 to 8.8.8.8/80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WLAN) source dynamic HOST interface destination static ALL ALL

Additional Information:

Dynamic translate 10.0.0.123/12345 to 10.0.255.1/12345

As you can see the test first matches the NAT for the destination address. It eventually reaches also the translation for the Dynamic PAT (that in this case translates to my WLAN interface IP address)

If I finally also test the VPN NAT configuration it seems to match just fine before the above NAT configuration just like its supposed to as its at the top

ASA(config)# packet-tracer input LAN tcp 10.0.0.123 12345 10.0.1.100 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static LAN LAN destination static VPN-POOL VPN-POOL

Additional Information:

NAT divert to egress interface WAN

Untranslate 10.0.1.100/80 to 10.0.1.100/80

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static LAN LAN destination static VPN-POOL VPN-POOL

Additional Information:

Static translate 10.0.0.123/12345 to 10.0.0.123/12345

Hope this helps

EDIT: I am from Finland so its around 2hours ahead of your time.

- Jouni

New Member

ASA Can perform 'policy NAT' but VPNs not work

HI Jouni,

wow - you're fast with you configuration!

I think I follow you but one of my main problems seesms to be that the firewall will not conform to this rule

nat (LAN,WLAN) source dynamic HOST interface destination static ALL ALL

(or my variation of it)

using this method results in the FW using the first route out cust 1's external, not customer 2

I think I might downgrade the IOS to 8.4.2 to see if that helps

Many thanks though, much apprecaited

Regards Tony

Super Bronze

Re: ASA Can perform 'policy NAT' but VPNs not work

Hi,

For the new ASA5500-X Series (excluding ASA5585-X models) the lowest software level is 8.6 so you wont be able to downgrade to 8.4(2) and I would NOT suggest that software as there were some changes with regards to the NAT and ARP.

Here is link to the Compatability matrix

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html#wp42231

Would it be possible to see your NAT/Interface/Routing configurations? Naturally could share them through Private message or something if you dont want to post something here. Would be interested to test this out.

I do have a ASA5515-X at home so might be able to test with exactly same software level also.

- Jouni

692
Views
35
Helpful
17
Replies
This widget could not be displayed.