Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Interface PAT on asa with NAT Exemption

Hi there,

I stumbled upon your site from a Google search. Basically, i am trying to PAT inside hosts to the internet using the interface IP Address of the ASA, and at the same time exempt two hosts on the same internal subnet utilizing a site-to-site VPN tunnel. Here is my partial config:

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
nat (inside,outside) dynamic interface

The nat exemptions for the vpn tunnel are as follows:

nat (inside,outside) source static inside-ip-vpn inside-ip-vpn desti
nation static remote-vpn remote-vpn

The VPN tunnel and exemptions work but the nat to the internet doesn't! All other configurations such as default route and access lists seem ok, so i am thinking nat is the issue.

What could i be missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hey Alan,

Hey Alan,

Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.

 

In other words, you have:

 

object-group network DM_INLINE_NETWORK_3
 network-object object POSTEL-LIVE
 network-object object POSTEL-TEST
object-group network DM_INLINE_NETWORK_4
 network-object object umoja-live
 network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o
bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4

So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:

access-list inside_access_in extended permit object-group INSIDE-HOSTS any

For the return traffic to be successful you also need

 a) An ACL allowing from anywhere to inside hosts

or

 b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.

 

Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!

 

JJ

8 REPLIES
New Member

Alan, PAT for Internet

Alan, PAT for Internet connectivity doesn't work for any inside hosts, or just the hosts listed in the inside-ip-vpn acl?  Also, run packet-tracer for an instance of a non vpn host trying to reach a public IP address and an instance of vpn host trying to reach the Internet and post the results.

New Member

Hi William,Thanks for taking

Hi William,

Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.

I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?

For the record, i am using software version greater than 8.3

Thanks

Cisco Employee

post the ACL for inside-ip

post the ACL for inside-ip-vpn and remote-vpn remote-vpn. Clear conn and clear xlates, do a packet tracert and posts the results...

New Member

Hi jponcedo,Thanks for taking

Hi jponcedo,

Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.

I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?

For the record, i am using software version greater than 8.3

Thanks

Cisco Employee

Hey Alan,

Hey Alan,

Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.

 

In other words, you have:

 

object-group network DM_INLINE_NETWORK_3
 network-object object POSTEL-LIVE
 network-object object POSTEL-TEST
object-group network DM_INLINE_NETWORK_4
 network-object object umoja-live
 network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o
bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4

So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:

access-list inside_access_in extended permit object-group INSIDE-HOSTS any

For the return traffic to be successful you also need

 a) An ACL allowing from anywhere to inside hosts

or

 b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.

 

Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!

 

JJ

New Member

OK guys, you are right.The

OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.

New Member

I agree with jponcedo, the

I agree with jponcedo, the input access list check comes before the NAT translation in the order of operations.  Modify it and then test and run another packet-tracer.

 

 

New Member

OK guys, you are right.The

OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.

212
Views
0
Helpful
8
Replies
CreatePlease to create content