ASA5555-X NAT & VPN problem

Jon Are Endrerud · ‎10-16-2013

Hey

Running a ASA5555-X with asa=9.1(3).

Before upgrade I used two interfaces for L2L tunnels. One called "Telenor" the other one called "VPN". After the upgrade the asa refuses to follow the NAT statements and sends all trafikk to the interface telenor, even if the NAT is in place for the other interface.

The lastest ASDM 7.1(4) has a new exempt function on the tunnel manager sheet. When i use this and select VPN as the interface, and then look at the command beeing sendt, it has changed VPN, and replaced it with Telenor. I just cant understand why.

The VPN interface has been deleted and created from scracth several times.

1. nat (intern,telenor) source static visma-nett visma-nett destination static vpn-modum vpn-modum no-proxy-arp

2. nat (intern,telenor) source static visma-nett visma-nett destination static vpn-hole vpn-hole no-proxy-arp

3. nat (internad,telenor) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_9 M_INLINE_NETWORK_9 no-proxy-arp

4. nat (dmz,intern) source static viendmz01 viendmz01 destination static visma-nett visma-nett no-proxy-arp

5. nat (telenor,dmz) source static any any destination static viendmz01-nat-telenor viendmz01 no-proxy-arp

6. nat (telenor,dmz) source static any any destination static cacti-nat cacti no-proxy-arp

7. nat (vpn-client,vpn) source static vpn-client vpn-client destination static hovdc01 hovdc01 no-proxy-arp

8. nat (vpn-client,telenor) source dynamic vpn-client interface

9. nat (dmz,telenor) source dynamic dmz-network interface

10. nat (intern,telenor) source dynamic intern-network interface

Iine 7 is ignored as it would not exitst by the asa, have tried all things I can think of in the last two weeks. Can anyone help me. Thanx

Regards J.

Please rate as helpful, if that would be the case. Thanx

Jon Are Endrerud · ‎10-16-2013

For me it looks like the ASA is looking at the routing table ang ignoring the NAT statement. And since this is a directly connect network im screwed.

Please rate as helpful, if that would be the case. Thanx

Jouni Forss · ‎10-16-2013

Hi,

Just to clarify, is the Line 7 NAT rule the only NAT configuration that you even need for the "vpn" interface?

If this is true can you get a "packet-tracer" command output for us that matches the subnets/addresses configured under the objects in the "nat" configurations

packet-tracer input vpn-client tcp 12345

Then share the output with us just so we can confirm what actual rules the traffic matches.

I wouldnt rule out the possibility of a Bug since you are using a very new software level. Solution might even be to downgrade to a bit lower 9.1(x) software but lets take the outputs first.

There has been a few bugs earlier that have basically ignored Manual NAT configurations for no obvious reason. Sometimes everything that has been needed has been a reboot of the firewall, sometimes its creating the VPN with new objects (incase you were reusing some objects from other configurations).

- Jouni

Jon Are Endrerud · ‎10-16-2013

I agree this is a bug, think im going back to the previous fw. When initiating the traffic from the asa on the other side of the L2L the NAT rule starts to count packets. Both the objects and interfaces have been recreated. Se packet-trace below:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 telenor

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group vpn-client_access_in in interface vpn-client

access-list vpn-client_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7ffe57fafeb0, priority=13, domain=permit, deny=false

hits=392, user_data=0x7ffe4d640700, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=vpn-client, output_ifc=any

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7ffe5606baa0, priority=1, domain=nat-per-session, deny=true

hits=255607, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7ffe59ac1f20, priority=0, domain=inspect-ip-options, deny=true

hits=6195, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=vpn-client, output_ifc=any

Phase: 5

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7ffe57c03710, priority=51, domain=ids, deny=false

hits=100223, user_data=0x7ffe5777e950, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=telenor

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7ffe572db870, priority=13, domain=dynamic-filter, deny=false

hits=1496485, user_data=0x7ffe572da5f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=telenor

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7ffe5606baa0, priority=1, domain=nat-per-session, deny=true

hits=255609, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7ffe562d8f30, priority=0, domain=inspect-ip-options, deny=true

hits=1487946, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=telenor, output_ifc=any

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2577077, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_ids

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_ids

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: vpn-client

input-status: up

input-line-status: up

output-interface: telenor

output-status: up

output-line-status: up

Action: allow

Please rate as helpful, if that would be the case. Thanx

Jouni Forss · ‎10-16-2013

Hi,

What do you mean with the directly connected network? Which network is directly connected?

If the destination network was directly connected then wouldnt the route-lookup work just fine?

But its my understanding that the default behaviour for your NAT configuration for "vpn" interface should result first in a UN-NAT phase for the destination network wich would choose the egress interface.

But we are not seeing any NAT configuration beeing matched in the above output.

- Jouni

Jon Are Endrerud · ‎10-16-2013

nat (vpn-client,vpnL2L) source static vpn-client vpn-client destination static laerer-hov laerer-hov no-proxy-arp

interface vpn-client = 10.0.122.0/23

interface vpnL2L = 10.0.120.0/24

laerer-hov = 10.48.4.10

Im running a trace from 10.0.122.20 to 10.48.4.10, the asa ignores the statement above when running trace. Also if I use the new exempt function on the vpn manager sheet it changes the vpn interface to telenor when I commit the command. It worked superb before upgrade.

Please rate as helpful, if that would be the case. Thanx

Jon Are Endrerud · ‎10-16-2013

I have downgraded from version 9.1.(3) to 9.1.(2) and everything works fine. So keep away from the 9.1(3) on the asa 5555x.

Please rate as helpful, if that would be the case. Thanx

Jouni Forss · ‎10-16-2013

Hi,

Thanks for the information. I think this has happened in some other versions too.

I have personally stayed with the 8.4(x) softwares still.

Please do remember to mark a reply as the correct answer if you feel that it answered your question or rate helpfull answers

- Jouni

Jon Are Endrerud · ‎10-16-2013

It seems like the 9.1(2) fw is working as i should, but my config on the unit is still very basic, so things can pop up.

Still im a little suprised over a bug like this, especially since its been a problem in the past.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx