10-16-2013 03:24 AM
Hey
Running a ASA5555-X with asa=9.1(3).
Before upgrade I used two interfaces for L2L tunnels. One called "Telenor" the other one called "VPN". After the upgrade the asa refuses to follow the NAT statements and sends all trafikk to the interface telenor, even if the NAT is in place for the other interface.
The lastest ASDM 7.1(4) has a new exempt function on the tunnel manager sheet. When i use this and select VPN as the interface, and then look at the command beeing sendt, it has changed VPN, and replaced it with Telenor. I just cant understand why.
The VPN interface has been deleted and created from scracth several times.
1. nat (intern,telenor) source static visma-nett visma-nett destination static vpn-modum vpn-modum no-proxy-arp
2. nat (intern,telenor) source static visma-nett visma-nett destination static vpn-hole vpn-hole no-proxy-arp
3. nat (internad,telenor) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_9 M_INLINE_NETWORK_9 no-proxy-arp
4. nat (dmz,intern) source static viendmz01 viendmz01 destination static visma-nett visma-nett no-proxy-arp
5. nat (telenor,dmz) source static any any destination static viendmz01-nat-telenor viendmz01 no-proxy-arp
6. nat (telenor,dmz) source static any any destination static cacti-nat cacti no-proxy-arp
7. nat (vpn-client,vpn) source static vpn-client vpn-client destination static hovdc01 hovdc01 no-proxy-arp
8. nat (vpn-client,telenor) source dynamic vpn-client interface
9. nat (dmz,telenor) source dynamic dmz-network interface
10. nat (intern,telenor) source dynamic intern-network interface
Iine 7 is ignored as it would not exitst by the asa, have tried all things I can think of in the last two weeks. Can anyone help me. Thanx
Regards J.
10-16-2013 05:56 AM
For me it looks like the ASA is looking at the routing table ang ignoring the NAT statement. And since this is a directly connect network im screwed.
10-16-2013 05:57 AM
Hi,
Just to clarify, is the Line 7 NAT rule the only NAT configuration that you even need for the "vpn" interface?
If this is true can you get a "packet-tracer" command output for us that matches the subnets/addresses configured under the objects in the "nat" configurations
packet-tracer input vpn-client tcp
Then share the output with us just so we can confirm what actual rules the traffic matches.
I wouldnt rule out the possibility of a Bug since you are using a very new software level. Solution might even be to downgrade to a bit lower 9.1(x) software but lets take the outputs first.
There has been a few bugs earlier that have basically ignored Manual NAT configurations for no obvious reason. Sometimes everything that has been needed has been a reboot of the firewall, sometimes its creating the VPN with new objects (incase you were reusing some objects from other configurations).
- Jouni
10-16-2013 06:27 AM
I agree this is a bug, think im going back to the previous fw. When initiating the traffic from the asa on the other side of the L2L the NAT rule starts to count packets. Both the objects and interfaces have been recreated. Se packet-trace below:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 telenor
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group vpn-client_access_in in interface vpn-client
access-list vpn-client_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe57fafeb0, priority=13, domain=permit, deny=false
hits=392, user_data=0x7ffe4d640700, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=vpn-client, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5606baa0, priority=1, domain=nat-per-session, deny=true
hits=255607, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe59ac1f20, priority=0, domain=inspect-ip-options, deny=true
hits=6195, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=vpn-client, output_ifc=any
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe57c03710, priority=51, domain=ids, deny=false
hits=100223, user_data=0x7ffe5777e950, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=telenor
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe572db870, priority=13, domain=dynamic-filter, deny=false
hits=1496485, user_data=0x7ffe572da5f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=telenor
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5606baa0, priority=1, domain=nat-per-session, deny=true
hits=255609, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe562d8f30, priority=0, domain=inspect-ip-options, deny=true
hits=1487946, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=telenor, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2577077, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: vpn-client
input-status: up
input-line-status: up
output-interface: telenor
output-status: up
output-line-status: up
Action: allow
10-16-2013 06:39 AM
Hi,
What do you mean with the directly connected network? Which network is directly connected?
If the destination network was directly connected then wouldnt the route-lookup work just fine?
But its my understanding that the default behaviour for your NAT configuration for "vpn" interface should result first in a UN-NAT phase for the destination network wich would choose the egress interface.
But we are not seeing any NAT configuration beeing matched in the above output.
- Jouni
10-16-2013 06:45 AM
nat (vpn-client,vpnL2L) source static vpn-client vpn-client destination static laerer-hov laerer-hov no-proxy-arp
interface vpn-client = 10.0.122.0/23
interface vpnL2L = 10.0.120.0/24
laerer-hov = 10.48.4.10
Im running a trace from 10.0.122.20 to 10.48.4.10, the asa ignores the statement above when running trace. Also if I use the new exempt function on the vpn manager sheet it changes the vpn interface to telenor when I commit the command. It worked superb before upgrade.
10-16-2013 11:01 AM
I have downgraded from version 9.1.(3) to 9.1.(2) and everything works fine. So keep away from the 9.1(3) on the asa 5555x.
10-16-2013 11:13 AM
Hi,
Thanks for the information. I think this has happened in some other versions too.
I have personally stayed with the 8.4(x) softwares still.
Please do remember to mark a reply as the correct answer if you feel that it answered your question or rate helpfull answers
- Jouni
10-16-2013 12:32 PM
It seems like the 9.1(2) fw is working as i should, but my config on the unit is still very basic, so things can pop up.
Still im a little suprised over a bug like this, especially since its been a problem in the past.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide