Solved

ASA 8.0(4) Hairpinning NAT for two lan2lan

Posted on 2014-03-18
5
809 Views
Last Modified: 2014-03-19
Hello

Shortly: I have two l2l connections. I need to hairpin traffic from first into second one and also do a nat for it.

I am using Cisco ASA 5510 with ios 8.0(4) from cli. The two l2l sites we can call Datacenter and Customer. Our inside network, Employee, is connected too to ASA.

When employee connects to datacenter or customer site the ASA will nat this connection and put it in right l2l-tunnel. No problems there. I am mentioning this just for example as it will be in the config.

Now we need something special. A server in the datacenter needs to connect customer server via our ASA using our l2l connection. So there will be U-turn/hairpinning with NAT as the customer l2l-tunnel will only accept certain range of ip's that comes from our ASA.

The problem is that the ASA wont use NAT for the connection that comes from datacenter and tries to turn to customer tunnel on the same interface.

Possible culprit
For now it looks like the problem is caused by the nat0-command on the outside-interface that causes NAT-exempt for this connection

In my example I have sanitized the ip-addresses and port names to match with my config example in the end.

Here is part of the packet-tracer result from ASA. I have bolded a line that is missing and should be there when given nat-address but is not. That line normally indicates that the ASA actually does give a nat IP from given pool.
----------------------------
ciscoasa# packet-tracer input outside tcp 10.0.0.5 80 20.0.0.6 80 detailed

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip outside 10.0.0.5 255.255.255.0 outside 20.0.0.6 255.255.255.0
    NAT exempt
    translate_hits = 264, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xa82e50b0, priority=6, domain=nat-exempt, deny=false
        hits=263, user_data=0xa812afd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.0.0.5, mask=255.255.255.0, port=0
        dst ip=20.0.0.6, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside) 500 access-list nat_datacenter_customer
  match ip outside 10.0.0.5 255.255.255.0 outside 157.144.2.0 255.255.255.0
    dynamic translation to pool 500 (25.0.0.1 - 25.0.0.254)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Dynamic translate 10.0.0.5/0 to 25.0.0.x/0 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0xa90bf888, priority=2, domain=nat, deny=false
        hits=161, user_data=0xa8a52400, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.0.0.5, mask=255.255.255.0, port=0
        dst ip=20.0.0.6, mask=255.255.255.0, port=0, dscp=0x0
-------------------------
I didnt know how to bold text inside code-field so I had to paste this this way.


If I remove nat0 from outside-interface, then there wouldnt be nat-exempt causing me problems (I think) but then the ASA wouldnt accept Datacenter->Customer packets at all from Datacenter l2l-tunnel so I must keep the nat0 for outside-interface.

So this is what I dont understand. At the inside-interface the nat0 is not causing any problems for employee users when they connect Datacenter or Customer networks. They are being natted nicely. But the outside nat0 causes problems when doing hairpinning between two l2l-tunnels and trying to add NAT on the outside-interface.

Any ideas are welcome and I will answer anything that was left unclear.

Here is sanitized config with relevant commands.

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.255
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 30.0.0.1 255.255.255.0
!
same-security-traffic permit intra-interface
!
object-group network datacenter_servers
 network-object 10.0.0.0 255.255.255.0
!
object-group network datacenter_natpool
 network-object 15.0.0.0 255.255.255.0
!
object-group network datacenter_users
 network-object host 30.0.0.2
 network-object host 30.0.0.3
!
object-group network customer_servers
 network-object 20.0.0.0 255.255.255.0
!
object-group network customer_natpool
 network-object 25.0.0.0 255.255.255.0
!
object-group network customer_users
 network-object host 30.0.0.2
 network-object host 30.0.0.5
!
access-list 100 extended permit ip any any
!
access-list inside_nat0_outbound extended permit ip object-group datacenter_natpool object-group datacenter_servers
access-list inside_nat0_outbound extended permit ip object-group customer_natpool object-group customer_servers
!
access-list nat_datancenter extended permit ip object-group datacenter_users object-group datacenter_servers
access-list nat_veikkaus extended permit ip object-group customer_users object-group customer_servers
!
access-list nat_datacenter_customer extended permit ip object-group datacenter_servers object-group customer_servers
!
global (outside) 400 15.0.0.1-15.0.0.254 netmask 255.255.255.0
global (outside) 500 25.0.0.1-25.0.0.254 netmask 255.255.255.0
!
nat (inside) 0 access-list internal_nat0_outbound
nat (inside) 400 access-list nat_datacenter
nat (inside) 500 access-list nat_customer
nat (outside) 0 access-list nat_datacenter_customer
nat (outside) 500 access-list nat_datacenter_customer outside
!
access-group 100 in interface outside
access-group 100 out interface outside

Open in new window

0
Comment
Question by:anttiva
  • 2
  • 2
5 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 39937555
In the average circumstance, I would normally not NAT any of the traffic between the three sites in any direction. You would have to configure your L2L crypto maps to include all the destination subnets - so the datacenter and customer ASA's would have at least 2 subnets in the destination, and the employee ASA would have two source subnets.
The above of course requires that you are allowed to modify all the ASA's. Are you able to do that, or are you absolutely required to keep the L2L as-is and only modify NAT at the Employee ASA?
0
 
LVL 15

Accepted Solution

by:
WalkaboutTigger earned 500 total points
ID: 39937611
When sanitizing a configuration, make sure your access list names get sanitized as well.

So,

employee<-->L2LVPN<-->datacenter works
employee<-->L2LVPN<-->customer works
datacenter<--->L2LVPN<-->ASA<-->L2LVPN<-->customer does not work

Do you have a NAT-exempt ACL?
0
 

Author Comment

by:anttiva
ID: 39937707
Rauenpc unfortunately I dont have access to customer or datacenter end-point devices so everything needs to be done on my end and yes the L2L has to mainly stay as it is. In theory I could ask that Customer side would add 10.0.0.6 to their L2L and that might fix the problem. But I dislike the idea and for the sake of learning would do this this way as there might be more need for this in the future.

WalkaboutTigger, Haha, I see. Thanks for the tip. Fixed some minor things.
And yes, you are correct about the situtation. Two first works, the last wont.

I am not sure about NAT-exempt ACL. Didnt see anything extra that would be related to these tunnels than what I already showed. I will look into it. Not even sure how NAT-exempt works. Will read about it and comment more. Originally I didnt configure this ASA but lately been working on it, learning and taking more control over it with. Just to clarify my level. The basic L2LVPN with NATs, object groups, accesslist and other are ok but this situtation is little bit new to me as I am not sure how ASA behaves in this situtation.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 39937838
Definitely look at the power of using a "deny" statement in the NAT exemption rule.
Using NATs like this, while uncommon, is quite doable with the ASA.

If you have a SmartNET contract on your ASA, I recommend you call TAC - they can look at the entire configuration and help you to understand it better as well.

If you're using NAT and not passing traffic through unNATed, then you should not need to modify your crypto maps, if memory serves, but you will need to create an ACL for NAT exemption.
0
 

Author Closing Comment

by:anttiva
ID: 39939214
Thanks for the help. You pointed me in the right direction. I started to question my outside nat0.
The NAT-exempt for Outside-interface was made wrongly.

The outside nat0 should have been for NATed IPs that is going Customer-network.
No NAT: customer_natpool -> customer_servers

Instead the outside nat0 was
No NAT: datacenter_servers -> customer_servers
This caused the NAT-exemption in the next phase when ASA was supposed to NAT the Datacenter IP to Customer nat pool IP.

Old
nat (outside) 0 access-list nat_datacenter_customer
nat (outside) 500 access-list nat_datacenter_customer outside
access-list nat_datacenter_customer extended permit ip object-group datacenter_servers object-group customer_servers

New
nat (outside) 0 access-list outside_nat0
nat (outside) 500 access-list nat_datacenter_customer outside
access-list nat_datacenter_customer extended permit ip object-group datacenter_servers object-group customer_servers
access-list outside_nat0 extended permit ip object-group customer_natpool object-group customer_servers
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now