Both sites A and B have IPsec L2L tunnels to HQ ASA. Remote users send traffic to the Web through the VPN tunnels and also communicate with each other.
HQ ASA has dynamic PAT rules to translate traffic coming from remote sites using the outside interface IP address before routing the traffic to the Web. It is also configured to allow intra-interface traffic:
nat (outside) 1 10.2.2.0 255.255.255.0
nat (outside) 1 10.3.3.0 255.255.255.0
nat (inside) 1 0 0
global (outside) 1 interface
same-security-traffic permit intra-interface
For traffic coming from a higher security level interface to a lower one (outbound traffic), you don't need to create a rule to exempt returning traffic from NAT:
Source: 172.16.1.0/24 (inside)
Destination: 10.2.2.0/24 (outside)
access-list inside-nonat permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list inside-nonat
However, if source and destination are routed through the same interface, you need to create two ACEs, otherwise returning traffic would match the PAT rule:
access-list outside-nonat permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside-nonat permit ip 10.3.3.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (outside) 0 access-list outside-nonat
If you miss the second ACE in the outside nonat ACL, the following log is seen:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.2.2.2 dst outside:10.3.3.2 (type 8, code 0) denied due to NAT reverse path failure
ASA# packet-tracer input outside icmp 10.2.2.2 8 0 10.3.3.2 det
[...]
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip outside 10.2.2.0 255.255.255.0 outside 10.3.3.0 255.255.255.0
NAT exempt
translate_hits = 6, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x33d8428, priority=6, domain=nat-exempt, deny=false
hits=5, user_data=0x33d8388, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.2.2.0, mask=255.255.255.0, port=0
dst ip=10.3.3.0, mask=255.255.255.0, port=0, dscp=0x0
[...]
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 1 10.3.3.0 255.255.255.0
match ip outside 10.3.3.0 255.255.255.0 outside any
dynamic translation to pool 1 (192.0.2.1 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x33d8a60, priority=1, domain=nat-reverse, deny=false
hits=5, user_data=0x33d8870, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.3.3.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Once you have the second ACE created, everything works fine:
%ASA-6-302020: Built inbound ICMP connection for faddr 10.2.2.2/6 gaddr 10.3.3.2/0 laddr 10.3.3.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.2.2.2/6 gaddr 10.3.3.2/0 laddr 10.3.3.2/0
no replay, help me!!
ReplyDelete?
Deletecan you please help me?
Deletegrt
ReplyDelete