ASA NAT Exemption

  • Post author:
  • Post category:ASA / Cisco

The Order of Operations on the ASA processes NAT before determining whether the packet should be encrypted. In most scenarios an ASA is configured with a Dynamic PAT (Auto NAT) rule translating private IP addresses to the outside interface for accessing resources on the internet, all traffic from inside to outside will be translated, this includes VPN traffic unless explictly configured not to translate the traffic.

To avoid the VPN traffic being unintentially translated, a NAT Exemption rule is required.

The ASA can be configured to use a Twice NAT (Manual NAT) rule for NAT Exemption, this translates the Source AND Destination to itself. Essentially this means the ORIGINAL SRC and TRANSLATED SRC are the same AND the ORIGINAL DST and TRANSLATED DST are the same.

The ASA orders the NAT rules into the following sections:

  • Section 1 – Manual NAT
  • Section 2 – Auto NAT
  • Section 3 – Manual NAT (after auto)

The Twice NAT rules are a type of Manual NAT rules, which are evaluated prior to Auto NAT rules. So by defining a Twice NAT rule in Section 1 – Manual NAT ensures that if matched the traffic is translated to itself and not processed further, and not potentially matching a Section 2 – Auto NAT (Dynamic PAT) rule.

The Problem

In this scenario an ASA is configured with a Dynamic PAT rule for internet access and a new Site-to-Site VPN to a remote branch site is configured (refer to this post for information on configuring an ASA IKEv2 Policy Based IPSec VPN). The HQ network(s) are 192.168.0.0/22 and the branch network(s) are 10.10.0.0/22. The VPN has been configured to encrypt all traffic between these networks.

The following Dynamic PAT rule is configured on the HQ ASA.

object network LOCAL
 subnet 192.168.0.0 255.255.252.0
 nat (INSIDE,OUTSIDE) dynamic interface

With the new VPN configured, attempting to communicate with the remote network at the branch from the local network behind the HQ ASA fails.

From the HQ ASA running the command show crypto ipsec sa identifies there are no IPSec SAs established.

Run the command show conn detail reveals there is a connection attempting to be established. The flags indicate saA (s = awaiting outside SYN, a = awaiting outside ACK to SYN and A awaiting inside ACK to SYN).

Run the command show xlate, the output below confirms the source port (36346) matches the connection in the connection table above and the traffic has been translated behind the outside interface. Therefore the traffic will not match the crypto ACL and be encrypted. The traffic will be routed via the outside interface and dropped, as the destination 10.10.0.1 is not routable over the internet.

Run packet-tracer from the CLI of the ASA to simulate the traffic flow from the local network to the remote VPN network, as defined in the ACL as interesting traffic. From the output below, notice Phase 2 (NAT) that the traffic was translated using the Dynamic PAT rule, behind the ASA OUTSIDE interface IP address of 1.1.1.1. As observed, if the local ASA has the Dynamic PAT rule configured which is unintentially translating traffic, the VPN will not be established.

If the remote peer initates the VPN, (assuming the configuration is correct) the VPN will be established, however with the Dynamic PAT rule in place the local ASA will not return the traffic. Observe the output of show crypto ipsec sa from the local (HQ) ASA. The ASA is decrypting inbound traffic, but is not encrypting the outbound traffic. This is a good indication that the local traffic is being unintentially translated.

Resolution

To Exempt traffic over the VPN tunnel from being unessentially translated by the Dynamic PAT rule, networks objects and a Twice NAT rule must be configured. Define objects for the LOCAL (HQ) and REMOTE (Branch) networks.

object network LOCAL
 subnet 192.168.0.0 255.255.252.0
object network REMOTE
 subnet 10.10.0.0 255.255.252.0

Create a Twice NAT (Manual NAT) rule from inside (HQ) to outside (branch).

nat (INSIDE,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE

With the NAT Exemption rule in place test connectivity over the VPN, this should now work.

Run the command show nat detail, from the output below we can observe that the NAT Exemption rule has been placed in NAT Section 1 by confirming the number of translated/untranslates hits.

Traffic with a source of 192.168.0.0/22 that does not match the destination of 10.10.0.0/22 (the REMOTE network), will not match NAT Section 1 and will therefore match NAT Section 2 and be translated behind the ASA’s OUTSIDE interface.

From the output of the command show crypto ipsec sa we can observe that encaps|decaps counters are both increasing indicating that traffic is encrypted and decrypted.

Tags: , , ,