Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3672
Views
0
Helpful
8
Replies

Interface PAT on asa with NAT Exemption

Go to solution
Alan Ng'ethe
Level 3
Level 3

‎05-27-2014 07:06 AM - edited ‎03-04-2019 11:02 PM

Hi there,

I stumbled upon your site from a Google search. Basically, i am trying to PAT inside hosts to the internet using the interface IP Address of the ASA, and at the same time exempt two hosts on the same internal subnet utilizing a site-to-site VPN tunnel. Here is my partial config:

object network INSIDE-HOSTS
 subnet 192.168.5.0 255.255.255.0
nat (inside,outside) dynamic interface

The nat exemptions for the vpn tunnel are as follows:

nat (inside,outside) source static inside-ip-vpn inside-ip-vpn desti
nation static remote-vpn remote-vpn

The VPN tunnel and exemptions work but the nat to the internet doesn't! All other configurations such as default route and access lists seem ok, so i am thinking nat is the issue.

What could i be missing?

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Juan Ponce Dominguez
Cisco Employee
Cisco Employee
In response to Alan Ng'ethe

‎05-28-2014 06:28 AM

Hey Alan,

Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.

 

In other words, you have:

 

object-group network DM_INLINE_NETWORK_3
 network-object object POSTEL-LIVE
 network-object object POSTEL-TEST
object-group network DM_INLINE_NETWORK_4
 network-object object umoja-live
 network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o
bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4

So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:

access-list inside_access_in extended permit object-group INSIDE-HOSTS any

For the return traffic to be successful you also need

 a) An ACL allowing from anywhere to inside hosts

or

 b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.

 

Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!

 

JJ

View solution in original post

0 Helpful
8 Replies 8

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎05-27-2014 08:23 AM

Alan, PAT for Internet connectivity doesn't work for any inside hosts, or just the hosts listed in the inside-ip-vpn acl?  Also, run packet-tracer for an instance of a non vpn host trying to reach a public IP address and an instance of vpn host trying to reach the Internet and post the results.

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to WILLIAM STEGMAN

‎05-28-2014 12:12 AM

Hi William,

Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.

I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?

For the record, i am using software version greater than 8.3

Thanks

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Preview file
4 KB
0 Helpful

Go to solution
Juan Ponce Dominguez
Cisco Employee
Cisco Employee

‎05-27-2014 08:34 AM

post the ACL for inside-ip-vpn and remote-vpn remote-vpn. Clear conn and clear xlates, do a packet tracert and posts the results...

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to Juan Ponce Dominguez

‎05-28-2014 12:14 AM

Hi jponcedo,

Thanks for taking time to respond. The PAT for internet connectivity does not work for any inside host. The NAT exemption does work, since i can ping hosts on the other end of the site-to-site VPN tunnel.

I have attached the relevant sections of the configuration for your review. From the trace, it appears that an access list is denying the traffic. Why would that be the case when interface PAT is configured for traffic to pass?

For the record, i am using software version greater than 8.3

Thanks

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Preview file
4 KB
0 Helpful

Go to solution
Juan Ponce Dominguez
Cisco Employee
Cisco Employee
In response to Alan Ng'ethe

‎05-28-2014 06:28 AM

Hey Alan,

Whenever you apply an ACL in the inside, the security levels are not enforced, so you need to explicitly allow which traffic will be allowed.

 

In other words, you have:

 

object-group network DM_INLINE_NETWORK_3
 network-object object POSTEL-LIVE
 network-object object POSTEL-TEST
object-group network DM_INLINE_NETWORK_4
 network-object object umoja-live
 network-object object umoja-test
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 o
bject-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4

So only the IP, ICMP and TCP traffic from POSTEL-LIVE to umoja-live is allowed, I believe you need to add an ACE to allow going to anywhere. So you will need to add something like this:

access-list inside_access_in extended permit object-group INSIDE-HOSTS any

For the return traffic to be successful you also need

 a) An ACL allowing from anywhere to inside hosts

or

 b) Having the protocol in the stateful table by inserting it into the global_policy: "fixup protocol icmp" make the trick.

 

Let me know if this makes sense. Do a packet tracer and posts the results if this is stillnot working!

 

JJ

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to Juan Ponce Dominguez

‎05-28-2014 10:53 PM

OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎05-28-2014 09:33 AM

I agree with jponcedo, the input access list check comes before the NAT translation in the order of operations.  Modify it and then test and run another packet-tracer.

 

 

0 Helpful

Go to solution
Alan Ng'ethe
Level 3
Level 3
In response to WILLIAM STEGMAN

‎05-28-2014 10:52 PM

OK guys, you are right.The problem was resolved by creating an access rule, as explained by jponcedo. I suppose what baffled me is why i would need to create an access rule even after a PAT statement. I had thought that by default, traffic from a higher security interface (inside) to a lower security interface (outside) was allowed. Thanks for all your help guys.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card