Cisco ASA NAT Issue

I am having a NAT issue with a Cisco ASA on 8.0(4).

I have a server that already has a static NAT as follows.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000

I now need to allow access to this server over an IPSec VPN but the remote peer requires me to source NAT to a specific private IP address (172.28.0.201). My configuration now looks like this.

static (dev-dmz,outside) 99.99.99.99 192.168.31.40 netmask 255.255.255.255 tcp 0 10000
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.16.224 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit icmp host 192.168.31.40 10.178.32.144 255.255.255.240
access-list NAT-DEV-IIS-01 extended permit ip 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit ip 10.178.32.144 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.16.224 255.255.255.240 host 192.168.31.40
access-list NAT-DEV-IIS-01 extended permit icmp 10.178.32.144 255.255.255.240 host 192.168.31.40
global (outside) 1 interface
global (outside) 12 172.28.0.201
nat (dev-dmz) 0 access-list no-nat-dev-dmz
nat (dev-dmz) 12 access-list NAT-DEV-IIS-01
nat (dev-dmz) 1 0.0.0.0 0.0.0.0


I would expect from this the following.

1. Any traffic between 192.168.31.40 and 10.178.16.224 255.255.255.240 or 10.178.32.144 255.255.255.240 will go out with a source IP of 172.28.0.201.
2. All other traffic from 192.168.31.40 out to the internet will out go out with a source IP of 99.99.99.99.

This isn't happening. When I try to ping a host on the remote side from 192.168.31.40 the NAT to 172.28.0.201 is not happening. My xlates relevant to this are as follows.

# show xlate | inc 172.28
Global 172.28.0.202 Local 192.168.31.41
Global 172.28.0.202 Local 192.168.31.41
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
PAT Global 172.28.0.202(0) Local 192.168.31.41 ICMP id 0
Global 172.28.0.203 Local 192.168.30.5
Global 172.28.0.203 Local 192.168.30.5
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0
PAT Global 172.28.0.203(0) Local 192.168.30.5 ICMP id 0


The xlate from 192.168.31.40 to 172.28.0.201 is not listed.

Can anyone tell me what I'm doing wrong ?

TIA
ccfcfcAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
FideliusConnect With a Mentor Commented:
Hello,
Try to switch NAT IDs:
global (outside) 1 172.28.0.201
global (outside) 12 interface
nat (dev-dmz) 1 access-list NAT-DEV-IIS-01
nat (dev-dmz) 12 0.0.0.0 0.0.0.0

Regards!
0
 
ccfcfcAuthor Commented:
Does it process those global statements in order then ?
0
 
max_the_kingCommented:
Hi,
chances are that you forgot to configure internal access-list, e.g. the one applied to dev-dmz interface.

For example, if you want to do policy nat for the following:
access-list NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

you need to allow that rule on the very same interface:
access-list <the one applied on dev-dmz interface> extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240

otherwise packets are dropped BEFORE natting them.

hope this helps
max
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
ccfcfcAuthor Commented:
I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL
0
 
ccfcfcAuthor Commented:
Sorry - that last comment was posted prematurely. I will repost it in the complete form in this comment.

I can't get this working however I try it.

This is my current setup - I will focus on just one of the hosts on one my side of the tunnel.

Host address : 192.168.31.40
SNAT host address : 172.28.0.201
Destination host address : 10.178.32.150

- Interface ACL entries relevant to this traffic

access-list dev-dmz-src-acl extended permit icmp host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit icmp host 10.178.32.150 host 192.168.31.41
access-list dev-dmz-src-acl extended permit ip host 192.168.31.40 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 192.168.31.41 host 10.178.32.150
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.40
access-list dev-dmz-src-acl extended permit ip host 10.178.32.150 host 192.168.31.41

- Crypto ACL

access-list 136 extended permit ip host 172.28.0.201 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.201 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.202 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.203 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.204 10.178.32.144 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.16.224 255.255.255.240
access-list 136 extended permit ip host 172.28.0.205 10.178.32.144 255.255.255.240

- SNAT ACL

access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.16.224 255.255.255.240
access-list DELTA-NAT-DEV-IIS-01 extended permit ip host 192.168.31.40 10.178.32.144 255.255.255.240

- SNAT Static

static (dev-dmz,outside) 172.28.0.201  access-list DELTA-NAT-DEV-IIS-01

With these settings the following is the relevant output from show xlate.

Global 172.28.0.201 Local 192.168.31.40
Global 172.28.0.201 Local 192.168.31.40

This would appear to show that the SNAT is working, but if I try to ping 10.178.32.150 from 192.168.31.40 I get no response.

Phase 1 seems to be up and running - this connection shows as MM_ACTIVE if I look at my isakmp SAs - but I have no IPSec SA for this tunnel.

If I use the packet trace tool on ASDM it passes everything up to the VPN. The last entries are as follows.

Type - NAT Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.32.144 255.255.255.240 static translation to 172.28.0.201 translate_hits = 1192, untranslate_hits = 0
Info
Static translate 192.168.31.40/0 to 172.28.0.201/0 using netmask 255.255.255.255

Type - NAT Subtype - host-limits Action - ALLOW
Config
static (dev-dmz,outside) 172.28.0.201 access-list DELTA-NAT-DEV-IIS-01 nat-control match ip dev-dmz host 192.168.31.40 outside 10.178.16.224 255.255.255.240 static translation to 172.28.0.201 translate_hits = 0, untranslate_hits = 0

Type - VPN Subtype - encrypt Action - DROP

Do I understand this correctly - does that VPN drop mean that the traffic is failing to pass the Crypto ACL ??
0
 
max_the_kingCommented:
Hi,
since you have natted 192.168.31.40 to  172.28.0.201, you need to have an access-list on the way back for the packets: assuming you have an access-list on outside interface named "acc_list_out", you need to add:

access-list acc_list_out permit ip host 10.178.32.150 host 192.168.31.40

the above will allow communication between 192.168.31.40 and 10.178.32.150.

Should you want to extend to other ip, you need to add / modify the access-list.

hope this helps
max
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.