hachemp
asked on
NAT Issue - VPN Users Cannot Access Hosts on DMZ Interface
Hello, I have an ASA 5520 running 8.4(1). Recently I have implemented a DMZ interface to the ASA, and I can't seem to enable users connected via AnyConnect VPN to be able to access any of the hosts in the DMZ. To be clear, I want the VPN users to be able to access the DMZ hosts using their inside local addresses. The VPN users (from the WWVPN group) get an IP address between 10.1.254.2-100 (KensVPN IP pool). When I attempt to ping a host attached to the DMZ interface from a VPN-connected client, here is the message I receive in the logs:
5 Jun 01 2011 10:25:45 10.1.20.8 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.1.254.28 dst DMZ:10.1.20.8 (type 8, code 0) denied due to NAT reverse path failure
Obviously there's something missing in my NAT statements to exempt the DMZ from the VPN clients or vice versa. I thought that I had the correct NAT statements set up, however, the new format of the NAT statements throws me off a little. Would someone please look over my config and advise what i am missing to allow communication between VPN clients (10.1.254.2-10.1.254.100) and my DMZ network (10.1.20.0/24). Thanks!
5 Jun 01 2011 10:25:45 10.1.20.8 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.1.254.28 dst DMZ:10.1.20.8 (type 8, code 0) denied due to NAT reverse path failure
Obviously there's something missing in my NAT statements to exempt the DMZ from the VPN clients or vice versa. I thought that I had the correct NAT statements set up, however, the new format of the NAT statements throws me off a little. Would someone please look over my config and advise what i am missing to allow communication between VPN clients (10.1.254.2-10.1.254.100) and my DMZ network (10.1.20.0/24). Thanks!
: Saved
:
ASA Version 8.4(1)
!
hostname KENSASA
domain-name XXXXXXXX
enable password XXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address XXXXXXXX 255.255.255.240 standby XXXXXXXX
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 10.1.1.2 255.255.255.0 standby 10.1.1.3
!
interface GigabitEthernet0/2
description LAN/STATE Failover Interface
speed 1000
duplex full
!
interface GigabitEthernet0/3
speed 1000
duplex full
nameif DMZ
security-level 50
ip address 10.1.20.2 255.255.255.0 standby 10.1.20.3
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
management-only
!
banner motd UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have
banner motd explicit permission to access or configure this device. All activities
banner motd performed on this device may be logged, and violations of this policy may
banner motd result in disciplinary action, and may be reported to law
banner motd enforcement. There is no right to privacy on this device.
banner asdm UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.1.10
name-server 10.1.11.23
domain-name XXXXXXXX
same-security-traffic permit inter-interface
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.0.0
object network obj-10.1.254.0
subnet 10.1.254.0 255.255.255.0
object network obj-10.254.0.0
subnet 10.254.0.0 255.255.0.0
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-10.1.1.4
host 10.1.1.4
object network obj-10.1.20.150
host 10.1.20.150
object network obj-10.1.11.34
host 10.1.11.34
object network obj-10.1.11.20
host 10.1.11.20
object network obj-10.1.1.200
host 10.1.1.200
object network obj-10.1.11.99
host 10.1.11.99
object network obj-10.1.11.41
host 10.1.11.41
object network obj-10.1.12.16
host 10.1.12.16
object network obj-10.1.11.85
host 10.1.11.85
object network obj-10.1.20.8
host 10.1.20.8
description DMZ Test Web Server
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-10.1.20.30
host 10.1.20.30
description Whos On
object network KensMain
subnet 10.1.0.0 255.255.240.0
object network TulsaConn
subnet 10.10.0.0 255.255.0.0
object network obj-10.1.0.0-20
subnet 10.1.0.0 255.255.240.0
object network obj_any-03
subnet 0.0.0.0 0.0.0.0
object network obj-any-04
subnet 0.0.0.0 0.0.0.0
object network TCMain
subnet 10.10.0.0 255.255.0.0
object network obj-10.10.0.0-16
subnet 10.10.0.0 255.255.0.0
object network obj-10.1.20.0
subnet 10.1.20.0 255.255.255.0
description DMZ
object-group icmp-type Good-ICMP
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service Exchange tcp
description For Mail Servers
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group service BurgSys tcp
description Ports for the Burg System
port-object eq 10081
port-object eq 5001
object-group service ESI_NSP
description ESI NSP
service-object tcp destination eq 59002
service-object tcp destination eq telnet
service-object udp destination eq 59002
object-group service SecExch tcp
description Secure Ports for Exchange
port-object eq 993
port-object eq 995
port-object eq https
port-object eq smtp
object-group service RODC
description Read Only Domain Controller Ports
service-object tcp-udp destination eq 464
service-object tcp destination eq 135
service-object tcp destination eq 3268
service-object tcp destination eq 445
service-object tcp destination eq 53248
service-object tcp destination eq 57344
service-object tcp destination eq 88
service-object tcp destination eq domain
service-object tcp destination eq ldap
service-object udp destination eq 389
service-object udp destination eq domain
service-object udp destination eq ntp
object-group service SQL tcp
description SQL Port
port-object eq 1433
port-object eq 1434
object-group service UDPSQL udp
port-object eq 1434
access-list Inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.1.254.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.254.0.0 255.255.0.0 10.1.254.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.1.254.0 255.255.255.0
access-list WWVPN_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0
access-list WWVPN_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list MonVPN standard permit host 10.1.11.42
access-list MonVPN standard permit host 10.1.11.34
access-list MonVPN standard permit host 10.1.1.10
access-list MonVPN standard permit host 10.1.11.70
access-list outside_access_in extended permit icmp any any object-group Good-ICMP
access-list outside_access_in remark ESI Phone System
access-list outside_access_in extended permit object-group ESI_NSP any host 10.1.1.4
access-list outside_access_in remark Burglar System
access-list outside_access_in extended permit tcp any object obj-10.1.20.150 object-group BurgSys
access-list outside_access_in remark Exchange 2003
access-list outside_access_in extended permit tcp any host 10.1.11.34 object-group Exchange
access-list outside_access_in remark Exchange 2010
access-list outside_access_in extended permit tcp any host 10.1.11.85 object-group SecExch
access-list outside_access_in remark WhosOn Chat Server
access-list outside_access_in extended permit tcp any object obj-10.1.20.30 eq 8080
access-list outside_access_in remark WhosOn Chat Server
access-list outside_access_in extended permit tcp any object obj-10.1.20.30 eq www
access-list outside_access_in remark DMZ Web Server Test
access-list outside_access_in extended permit tcp any host 10.1.20.8 eq www
access-list outside_access_in remark DMZ Web Server Test
access-list outside_access_in extended permit tcp any host 10.1.20.8 eq https
access-list DMZ_access_in remark WhosOn Chat Server
access-list DMZ_access_in extended permit tcp host 10.1.20.30 host 10.1.11.55 eq 51953
access-list DMZ_access_in remark WhosOn Chat Server
access-list DMZ_access_in extended permit udp host 10.1.20.30 host 10.1.11.55 object-group UDPSQL
access-list DMZ_access_in remark Edge Server
access-list DMZ_access_in extended permit ip host 10.1.20.20 object KensMain
access-list DMZ_access_in remark Kensington RODC (VM)
access-list DMZ_access_in extended permit object-group RODC host 10.1.20.100 host 10.1.1.10
access-list DMZ_access_in extended permit ip host 10.1.20.100 host 10.1.11.23 inactive
access-list DMZ_access_in remark Kensington RODC (VM)
access-list DMZ_access_in extended permit ip host 10.1.20.100 host 10.1.1.10 inactive
access-list DMZ_access_in extended permit ip host 10.1.20.100 host 10.1.12.14 inactive
access-list DMZ_access_in extended permit udp host 10.1.20.120 host 10.1.11.25 object-group UDPSQL
access-list DMZ_access_in extended permit tcp host 10.1.20.120 host 10.1.11.25 eq 51953
access-list DMZ_access_in extended permit tcp host 10.1.20.120 host 10.1.11.34 eq smtp
access-list DMZ_access_in remark CRM test
access-list DMZ_access_in extended permit ip host 10.1.20.120 any inactive
access-list DMZ_access_in remark temp
access-list DMZ_access_in extended permit ip host 10.1.20.8 host 10.10.3.11
access-list DMZ_access_in remark Temp
access-list DMZ_access_in extended permit ip host 10.1.20.8 host 10.10.3.21
access-list DMZ_access_in extended permit tcp host 10.1.20.8 host 10.10.1.16 eq 51954
access-list DMZ_access_in extended permit udp host 10.1.20.8 host 10.10.1.16 object-group UDPSQL
access-list DMZ_access_in extended permit tcp host 10.1.20.8 host 10.1.11.55 eq 51953
access-list DMZ_access_in extended permit udp host 10.1.20.8 host 10.1.11.55 object-group UDPSQL
access-list DMZ_access_in remark TEST ONLY - not necessary in prod
access-list DMZ_access_in extended permit ip host 10.1.20.8 host 10.10.3.31
access-list DMZ_access_in remark Web Server Test
access-list DMZ_access_in extended permit ip host 10.1.20.8 any inactive
access-list DMZ_access_in extended permit icmp 10.1.20.0 255.255.255.0 object KensMain object-group Good-ICMP
access-list DMZ_access_in extended permit icmp 10.1.20.0 255.255.255.0 object TCMain object-group Good-ICMP
access-list DMZ_access_in extended deny ip any object KensMain
access-list DMZ_access_in extended deny ip any object TCMain
access-list DMZ_access_in extended permit ip 10.1.20.0 255.255.255.0 any
access-list Inside_access_in extended permit ip object KensMain any
access-list Inside_access_in extended permit ip object TCMain any
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm notifications
logging host Inside 10.1.11.29
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 10.1.11.29 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu DMZ 1500
ip local pool KensVPN 10.1.254.2-10.1.254.100 mask 255.255.255.0
ip local pool MonVPN 10.1.254.110-10.1.254.120 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface LANlink GigabitEthernet0/2
failover link LANlink GigabitEthernet0/2
failover interface ip LANlink 192.168.100.1 255.255.255.0 standby 192.168.100.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.1.254.0 obj-10.1.254.0
nat (Inside,any) source static obj-10.254.0.0 obj-10.254.0.0 destination static obj-10.1.254.0 obj-10.1.254.0
nat (Inside,any) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.1.254.0 obj-10.1.254.0
nat (DMZ,any) source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
!
object network obj-10.1.1.4
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.20.150
nat (DMZ,Outside) static XXXXXXXX
object network obj-10.1.11.34
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.11.20
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.1.200
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.11.99
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.11.41
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.12.16
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.11.85
nat (Inside,Outside) static XXXXXXXX
object network obj-10.1.20.8
nat (DMZ,Outside) static XXXXXXXX
object network obj_any
nat (Inside,Outside) dynamic interface
object network obj_any-01
nat (Inside,Outside) dynamic obj-0.0.0.0
object network obj_any-02
nat (management,Outside) dynamic obj-0.0.0.0
object network obj-10.1.20.30
nat (DMZ,Outside) static XXXXXXXX
object network obj-10.1.0.0-20
nat (Inside,DMZ) static KensMain
object network obj_any-03
nat (Inside,DMZ) dynamic obj-0.0.0.0
object network obj-any-04
nat (DMZ,Outside) dynamic interface
object network obj-10.10.0.0-16
nat (Inside,DMZ) static TCMain
access-group outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 XXXXXXXX 1
route Inside 10.1.0.0 255.255.240.0 10.1.1.1 1
route Inside 10.10.0.0 255.255.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WWDC4 protocol radius
aaa-server WWDC4 (Inside) host 10.1.11.19
timeout 5
key *****
aaa-server WWDC1 protocol radius
aaa-server WWDC1 (Inside) host 10.1.1.10
key *****
aaa-server WWTDC1 protocol radius
aaa-server WWTDC1 (Inside) host 10.10.1.100
key *****
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 15
http 10.1.12.0 255.255.255.0 Inside
http 10.1.1.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
http 10.1.11.29 255.255.255.255 Inside
snmp-server host Inside 10.1.11.28 community ***** version 2c udp-port 161
snmp-server location Kensington
snmp-server contact Paul
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
<cert info truncated>
quit
telnet timeout 5
ssh 10.1.11.29 255.255.255.255 Inside
ssh 10.1.12.0 255.255.255.0 Inside
ssh timeout 15
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
dhcpd address 192.168.1.10-192.168.1.254 management
dhcpd enable management
!
threat-detection rate scanning-threat rate-interval 600 average-rate 20 burst-rate 25
threat-detection rate scanning-threat rate-interval 3600 average-rate 15 burst-rate 20
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server XXXXXXXX source Outside prefer
tftp-server Inside 10.1.11.29 \5520ASA\5520Kens
ssl trust-point ASDM_TrustPoint3 Outside
webvpn
enable Outside
csd image disk0:/csd_3.4.0373.pkg
anyconnect image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.3.0254-k9.pkg 2
anyconnect enable
tunnel-group-list enable
smart-tunnel list Audit IE iexplore.exe platform windows
smart-tunnel auto-signon Monarchtest use-domain host XXXXXXXX
smart-tunnel auto-signon Monarchtest use-domain ip 10.1.11.42 255.255.255.0
smart-tunnel auto-signon Monarchtest host XXXXXXXX
group-policy WWVPNGP internal
group-policy WWVPNGP attributes
wins-server value 10.1.1.10 10.1.11.23
dns-server value 10.1.1.10 10.1.11.23
vpn-tunnel-protocol l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value WWVPN_splitTunnelAcl
default-domain value XXXXXXXX
split-dns value XXXXXXXX
webvpn
anyconnect ask none default anyconnect
group-policy Monarch internal
group-policy Monarch attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
webvpn
url-list value Monarch
anyconnect ask none default webvpn
url-entry disable
group-policy MonClientGP internal
group-policy MonClientGP attributes
wins-server value 10.1.1.10 10.1.11.19
dns-server value 10.1.1.10 10.1.11.19
vpn-tunnel-protocol l2tp-ipsec ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MonVPN
default-domain value XXXXXXXX
split-dns value XXXXXXXX
address-pools value MonVPN
webvpn
anyconnect ask none default anyconnect
group-policy Velocity internal
group-policy Velocity attributes
vpn-tunnel-protocol l2tp-ipsec
webvpn
url-list value Velocity
homepage none
anyconnect ask none default webvpn
customization value DfltCustomization
url-entry disable
group-policy xAuditx internal
group-policy xAuditx attributes
vpn-tunnel-protocol l2tp-ipsec ssl-clientless
webvpn
url-list value Audit
customization value xAuditx
smart-tunnel enable Audit
<usernames truncated>
vpn-group-policy Velocity
group-lock value Velocity
service-type remote-access
tunnel-group WWVPN type remote-access
tunnel-group WWVPN general-attributes
address-pool KensVPN
authentication-server-group WWDC1
default-group-policy WWVPNGP
tunnel-group WWVPN webvpn-attributes
group-alias WWVPN enable
tunnel-group Velocity type remote-access
tunnel-group Velocity general-attributes
address-pool KensVPN
default-group-policy Velocity
tunnel-group Velocity webvpn-attributes
group-alias Velocity enable
group-url XXXXXXXX enable
tunnel-group xAuditx type remote-access
tunnel-group xAuditx general-attributes
default-group-policy xAuditx
tunnel-group xAuditx webvpn-attributes
group-alias xAudtix enable
tunnel-group Monarch type remote-access
tunnel-group Monarch general-attributes
default-group-policy Monarch
tunnel-group Monarch webvpn-attributes
group-alias Monarch enable
tunnel-group MonarchClient type remote-access
tunnel-group MonarchClient general-attributes
address-pool MonVPN
authentication-server-group WWTDC1
default-group-policy MonClientGP
tunnel-group MonarchClient webvpn-attributes
group-alias MonarchClient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
class class-default
flow-export event-type all destination 10.1.11.29
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum: XXXXXXXX
: end
asdm image disk0:/asdm-641.bin
asdm location 10.1.0.0 255.255.0.0 Inside
asdm location 10.254.0.0 255.255.0.0 Inside
asdm history enable
ASKER
Hmmm, I was of the understanding that NAT 0 commands don't work anymore in post 8.3 ASA images. I'll give this a shot when I get back to the office regardless.
Here is what I found for 8.3/4, .x pertaining to your question. I dont think the commands were taken out, just added modifiers to the command set.
From: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp517722
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(1.11) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(1.11) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(1.11) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).
From: http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp517722
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(1.11) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(1.11) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(1.11) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.
We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).
ASKER
Unfortunately Warlock, it does appear like they did away with NAT 0. When I put the statement in, I received the following message:
ERROR: This syntax of nat command has been deprecated. Please refer to "help nat" command for more details.
It seems to me that this is the 'new' command that should be exempting NAT between VPN and DMZ:
nat (DMZ,any) source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
From what I've read, this is bidirectional by default (uni-directional will be specified in the command, otherwise it's bi). Also, communication from my Inside network to the VPN users has been working just fine, and here is the command that is doing that (as far as I can tell anyway):
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.1.254.0 obj-10.1.254.0
So I'm just not understanding why I'm getting an asymmetric NAT rule error on that when it's configured bidirectionally and just like the other rule which seems to be working fine?
ERROR: This syntax of nat command has been deprecated. Please refer to "help nat" command for more details.
It seems to me that this is the 'new' command that should be exempting NAT between VPN and DMZ:
nat (DMZ,any) source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
From what I've read, this is bidirectional by default (uni-directional will be specified in the command, otherwise it's bi). Also, communication from my Inside network to the VPN users has been working just fine, and here is the command that is doing that (as far as I can tell anyway):
nat (Inside,any) source static obj-10.1.0.0 obj-10.1.0.0 destination static obj-10.1.254.0 obj-10.1.254.0
So I'm just not understanding why I'm getting an asymmetric NAT rule error on that when it's configured bidirectionally and just like the other rule which seems to be working fine?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Warlock, I tried changing DMZ to inside as you suggested...no luck, same asymmetric NAT error message.
Since you mentioned object-oriented NAT, that made me think of something. The NAT command that gives any of the hosts in the DMZ (that don't have a static translation) the ip of the outside interface:
object network obj-any-04
nat (DMZ,Outside) dynamic interface
Perhaps this is what is causing the 'asymmetric' NAT issue? If so, not sure what I can do, as I need that to give the DMZ hosts that don't get their own public IP a connection to the internet...any ideas, or do you think this is unrelated?
Since you mentioned object-oriented NAT, that made me think of something. The NAT command that gives any of the hosts in the DMZ (that don't have a static translation) the ip of the outside interface:
object network obj-any-04
nat (DMZ,Outside) dynamic interface
Perhaps this is what is causing the 'asymmetric' NAT issue? If so, not sure what I can do, as I need that to give the DMZ hosts that don't get their own public IP a connection to the internet...any ideas, or do you think this is unrelated?
ASKER
Even though I'm not completely sure what this is used for, I tried adding this just to see...
nat (DMZ, Outside) dynamic obj-0.0.0.0
since there was one in there for the inside-outside network. Still got the same error.
nat (DMZ, Outside) dynamic obj-0.0.0.0
since there was one in there for the inside-outside network. Still got the same error.
ASKER
Finally figured this one out - with the help of TAC. :)
I replaced this statement:
nat (DMZ,any) source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
with this:
nat (DMZ,any) 1 source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
I'm guessing the '1' tells the ASA to process this rule first, avoiding whatever was causing the asymmetrical NAT (I think it was the outside interface PAT I listed above causing the issue). Either way, this is a good one to note and kudos to Cisco TAC! Well worth the cost in my opinion. Giving you the points Warlock for your help in troubleshooting this today. Thanks again!
I replaced this statement:
nat (DMZ,any) source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
with this:
nat (DMZ,any) 1 source static obj-10.1.20.0 obj-10.1.20.0 destination static obj-10.1.254.0 obj-10.1.254.0
I'm guessing the '1' tells the ASA to process this rule first, avoiding whatever was causing the asymmetrical NAT (I think it was the outside interface PAT I listed above causing the issue). Either way, this is a good one to note and kudos to Cisco TAC! Well worth the cost in my opinion. Giving you the points Warlock for your help in troubleshooting this today. Thanks again!
Im glad to see you got it working.
access-list nonat-dmz permit ip 10.1.20.2 255.255.255.0 10.1.254.2 255.255.255.0
(No Nat for the DMZ network)
access-list nonat-in permit ip 10.1.0.0 255.255.0.0 10.1.254.2 255.255.255.0
(No Nat for the Inside network)
Then do:
nat (DMZ) 0 access-list nonat-dmz
nat (inside) 0 access-list nonat-in
(NAT 0 prevents NAT for networks specified in the ACL nonat)
Remember, after adding a new NAT configuration you'll need to clear the NAT translation
Clear xlate
Clear local
Hope this helps. Let us know.