Solved: Re: ASA 8.3 NAT Issue - Page 2

Dan Jay · ‎12-09-2011

Dear all,

I'm at my wits end, perhaps someone can take a moment to look into this.

I want to NAT one ( ! ) single inside host on a different WAN/ ISP interface ( of which I have two ) .

The first one is a /29 - adressed static SDSL 2,3 MBit link, the 2nd one a 16MBit ADSL line with one static IP. Both interfaces are DIFFERENT carriers ( Versatel = ifname outside and Ecotel =ifname ecotel ).

( The SDSL line is used to NAT/PAT all other hosts except the one in question. )

( Inside Userland is 172.16.0.0/24 and 192.168.20.0/24. )

Both lines are firing on all cylinders, but I can't get any traffic through the ecotel ADSL interface from the client in question.

The SDSL line works as expected.

Routing is:

C 172.16.0.0 255.255.0.0 is directly connected, inside

S 192.168.20.0 255.255.255.0 [1/0] via 172.16.1.1, inside

C 213.138.48.24 255.255.255.252 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 213.138.48.1, outside ( -> Versatel )

I added a 2nd default route with metric 2 pointing to the 2nd ISP, resulting in:

out 0.0.0.0 0.0.0.0 via [pppOE ServerIP according to debug output] , ecotel

interface Ethernet0/2

description Uplink Ecotel

nameif ecotel

security-level 0

pppoe client vpdn group ecotel

ip address pppoe

object network SC

host 192.168.20.4

description SC

object network SC

nat (inside,ecotel) dynamic interface dns

The packet tracer routes a simulated packet from the SC Object via inside to outside....

Can someone shed some light on this ?

JohnTylerPearce · ‎12-09-2011

Well, if you set the next-hop to the next hop on the eoctel line, the ASA should have a specific route for that network, and

should arp for the default-gateway on the other end, I would think...

Dan Jay · ‎12-12-2011

Hi John,

the scenario is as follows, the above picture was not complete because I thought things to be..ehm, easier.

192.168.20.0./24 -->[e.0/0] @ C2611XM [e0.1] 172.16.1.0/16 -> {---DMZ---} -> 172.16.1.111 [e0/0] ASA

[e0/1] ASA -> SDSL (versatel)

[e0/2] ASA -> ADSL (ecotel)

I've been toying around /w PBR a fair bit; before I put this live I'd like to confirm you that the following IOS code

on the 2611 will most probably work. It's production time right now and I cannot touch the interface config without users complaining.

ip access-list extended ecotel permit ip host 192.168.20.4 any ( defines which host is subject to PBR )

route-map ecotel permit 10

match ip address ecotel

set interface [e0/1] ( this is the one pointing inwards into the DMZ 172.16.... )

set ip next-hop A.A.A.A ( this is our fixed IP on the e0/2 on the ASA, not the default Gate, correct ? )

interface [e.0/0] ( to which the 192.168.20.4 host is directly connected ) finally runs this policy with ip policy route-map ecotel.

JohnTylerPearce · ‎12-12-2011

Is the vlan interface for 192.168.20.0/24 on the 2611XM?

Dan Jay · ‎12-12-2011

The 2611XM is in turn connected to a stack of 2950 switches, on one of them is a VLAN port group forming the DMZ. The 172.16... leg of the router is connected to this group while the 192.168.20.0/24 leg of the router is connected to a port which does not belong to this VLAN.

JohnTylerPearce · ‎12-12-2011

The above config seems fine Dan, I would put it on the vlan interface of the 192.168.20.0/24 network. Where ever it's

default gateway is, I would put the policy route on that router. Just make sure to do this off hours/maintenance window. Also, always keep backups that way you can easily revert back if it doesn't work or other problems appear.

Dan Jay · ‎12-12-2011

Thanks John,

I will try as soon as possible. From what I have read, the PBR ingress interface ( the one with the policy statement ) is ( mostly ) the default gate of the segment from where I want to reroute certain packets. Because the gate of 192.168.20.0 is .2 ( which is the 2611XM ) - let's see what the upshot is.....

Garry Cross · ‎12-12-2011

I have not read every single post but here is my opinion.

Somewhere you have in the config the following or something similar.

nat (inside,outside) dynamic interface

It is likely in section one of the nat table. If it is under the object nat section, I don't think you can reorder this section but I am not sure. Do some research on this. I think the basic problem is that the above is coming before the one you want to go to the ecotel interface. There is a section 3 of the nat table to force the above to come after the object nat.

PBR will not work from any device which is behind the device that is connected to the next hop you want to use. Don't waste your time with this. PBR only works when the next hop you want to use is directly connected to the device you are configuring PBR on.

Another way to do it might be to use PBR but direct the traffic to another inside interface on the ASA. Then nat from that interface to ecotel.

Cheers.

Dan Jay · ‎12-12-2011

Garry,

thanks for sharing your thoughts here. I've considered bringing another interface ( dedicated ecotel nat ) on the ASA to live as an option, too. From what I've experienced I really cannot order the NAT statements. The PBR device in question is located before the ASA, meaning that the ASA is directly connected to the 2611 because both live in the 172.16.... range.

Garry Cross · ‎12-12-2011

Section 1 can be ordered. They are order by the order in the config.

Section 2 is ordered by the ASA

Section 3 is ordered similar to section 1 but when adding a rule you can spedify a line #.

One more thing, In 8.4(2) and later they changed a bunch of stuff as well with regard to all this.

With PBR, on the 2611, your next hop can only ever be the ASA. I am not sure if you can even specify a non direct connected next hop. If you can it will look it up and route it to the correct next hop by using recursive lookup and resolve to the ASA and you will be no further ahead.

When I read the following in the 8.4/5 command reference it implies that the ASA by default uses the interface specified by the nat command as the egress interface. You can use route-lookup to overide this behavior. I really believe your problem is with the order of processing of your nat rules.

route-lookup

(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.

JohnTylerPearce · ‎12-12-2011

Thanks for the clarification on pbr garry.

Dan Jay · ‎12-12-2011

Thanks Garry.

What is your suggestion on what to do next ?

Try the PBR anyway or rearrange the NAT statement in working order ?

Upgrade to 8.4(n) ?

Use a dedicated interface for the 2nd line ?

Garry Cross · ‎12-12-2011

My immediate suggestion is for you to give us a show run nat and a show nat for completness.

If you need to hide anything just overwrite with x.x.x.x any ip's or service ports on the outside you don't want to publish.

Dan Jay · ‎12-12-2011

Garry,

I will post the config tomorrow morning ASAP.

Dan Jay · ‎12-12-2011

Morning Guys,

sho nat:

1 (inside) to (outside) source static LX0 [PUBLIC_IP] dns

translate_hits = 2691154, untranslate_hits = 570806

2 (inside) to (outside) source static MTA1 [PUBLIC_IP] dns

translate_hits = 286601, untranslate_hits = 787384

3 (inside) to (outside) source static SMB0 [PUBLIC_IP]dns

translate_hits = 53374, untranslate_hits = 1088

4 (inside) to (outside) source static Thermograph [PUBLIC_IP]dns

translate_hits = 18, untranslate_hits = 862

5 (inside) to (ecotel) source dynamic SC interface dns

translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source dynamic MOBIL19 interface dns

translate_hits = 15060, untranslate_hits = 2514

7 (inside) to (outside) source dynamic MOBIL5 interface dns

translate_hits = 22920, untranslate_hits = 3088

8 (inside) to (outside) source dynamic MOBIL16 interface dns

translate_hits = 4954, untranslate_hits = 440

9 (inside) to (outside) source dynamic PB_300c interface dns

translate_hits = 49, untranslate_hits = 0

10 (inside) to (outside) source dynamic SMB2 interface dns

translate_hits = 10405, untranslate_hits = 6

11 (inside) to (outside) source dynamic test interface dns

translate_hits = 343558, untranslate_hits = 39562

12 (inside) to (outside) source dynamic PBX0 interface

translate_hits = 342224, untranslate_hits = 482

13 (any) to (outside) source dynamic Wireless interface

translate_hits = 22543, untranslate_hits = 1423

sho run nat:

object network test

nat (inside,outside) dynamic interface dns

object network MTA1

nat (inside,outside) static [PUBLIC_IP] dns

object network LX0

nat (inside,outside) static [PUBLIC_IP] dns

object network Thermograph

nat (inside,outside) static [PUBLIC_IP] dns

object network PBX0

nat (inside,outside) dynamic interface

object network Wireless

nat (any,outside) dynamic interface

object network SMB0

nat (inside,outside) static [PUBLIC_IP] dns

object network PB_300c

nat (inside,outside) dynamic interface dns

object network SC

nat (inside,ecotel) dynamic interface dns

object network SMB2

nat (inside,outside) dynamic interface dns

object network MOBIL5

nat (inside,outside) dynamic interface dns

object network MOBIL16

nat (inside,outside) dynamic interface dns

object network MOBIL19

nat (inside,outside) dynamic interface dns

JohnTylerPearce · ‎12-13-2011

Gary, please correct me if I'm wrong, but I'm assuming that the ASA will match the first NAT statement that certain traffic are matched for, and take that one, kinda like an ACL so to speak? As well as taking a more specific NAT entry over a more generic one?

object network test

nat (inside,outside) dynamic interface dns

From looking at this, it's first in the list, and is running dynamic PAT.

So I guess if you did a

object network ecotel

nat (intside,ecotel) dynamic interface dns (If you want DNS rewrite as well)

object network test

nat (inside,outside) dynamic interface dns

???