ASA Tunnel not hitting the correct NAT

[that1guy15]

Code Select Expand

crypto map outside_map 37 match address outside_37_cryptomap
crypto map outside_map 37 set peer <Peer IP>
crypto map outside_map 37 set transform-set ESP-3DES-SHA
crypto map outside_map 37 set security-association lifetime seconds 28800
crypto map outside_map 37 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

tunnel-group <Peer IP> type ipsec-l2l
tunnel-group <Peer IP> ipsec-attributes
pre-shared-key *

access-list outside_37_cryptomap extended permit ip object-group INTERNAL-SERVERS object-group REMOTE-SERVERS
access-list outside_37_cryptomap extended permit ip object-group INTERNAL-SERVERS-1 object-group REMOTE-SERVERS


NAT config is listed above. IPS and names are changed to protect the guilty.

[routerdork]

Looking at your config above, which is pretty much identical to how we do our tunnels, the only difference is how we do our NAT. What is your NAT trying to accomplish? Is just using one NAT statement to allow access for each tunnel? Also what code are you running?

Code Select Expand

nat (INSIDE,OUTSIDE) source static insert_source_object_group insert_source_object_group destination static insert_destination_object_group insert_destination_object_group route-lookup

So the equivalent to yours would be...

Code Select Expand

nat (inside,outside) source static INTERNAL-SERVERS INTERNAL-SERVERS destination static REMOTE-SERVERS REMOTE-SERVERS route-lookup
nat (inside,outside) source static INTERNAL-SERVERS-1 INTERNAL-SERVERS-1 destination static REMOTE-SERVERS REMOTE-SERVERS route-lookup

[that1guy15]

Code is old. 8.0...

We have a reserved range for NATed traffic for Vendor tunnels. So its just basically there so we dont overlap with their space. These servers just do a 1-to-1 for all vendors.

[deanwebb]

Code is old. 8.0...

We have a reserved range for NATed traffic for Vendor tunnels. So its just basically there so we dont overlap with their space. These servers just do a 1-to-1 for all vendors.

Please upgrade so as to avoid major security fail. Thank you.

[wintermute000]

My ASA-fu is weak now but I am curious about this and can't see anything obvious so please keep us in the loop!
I'd just TAC it TBH - throw the show run and packet tracer at them.

[that1guy15]

Yeah pretty much said the same thing when I took over these firewalls. I got denied multiple times because they dont see just reason for a possible outage. The cut to 8.3 looks like a nightmare for these guys as they have not been administered well....
I now have been approved to replace them Q1 next year so they would rather wait till then to take an outage and are fine with them as-is...

Gotta love it!!

[that1guy15]

My ASA-fu is weak now but I am curious about this and can't see anything obvious so please keep us in the loop!
I'd just TAC it TBH - throw the show run and packet tracer at them.

Yup. TAC call will be first thing in the morning. Figured Id give you guys first crack.

Thanks for the help so far!!

[deanwebb]

My ASA-fu is weak now but I am curious about this and can't see anything obvious so please keep us in the loop!
I'd just TAC it TBH - throw the show run and packet tracer at them.

Yup. TAC call will be first thing in the morning. Figured Id give you guys first crack.

Thanks for the help so far!!

If TAC says to upgrade the code...

[that1guy15]

ah yeah dude. I HATE calling TAC on these guys. Its their easy out on everything and they dig in and call it a day.

"What the PSU is on fire? Yeah you are running old code. Upgrade to 9.x and then we can help disable the fire."

[wintermute000]

Back to basics


Checking what you are trying to accomplish. What's the exact parameter to obtain the packet tracer output?


From my reading of it:


Traffic FROM inside interface TO outside interface
FROM GROUPA TO xxx.xxx.xxx.142
NAT source IP i.e. GROUPA to 10.19.176.25


and then your crypto map ACL 37 is supposed to match interesting traffic which is (due to order of operations) 10.19.176.25 to xxx.xxx.xxx.142?


And this works for the first 2 lines of access-list inside_nat_static_20, just not the new one?

Code Select Expand


static (inside,outside) 10.19.176.25  access-list inside_nat_static_20 


access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.119
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.110
access-list inside_nat_static_20 extended permit ip host GROUPA host xxx.xxx.xxx.142 <---this line is what I added

[EOS]

I'd be curious to see a packet-tracer from the one that works, then compare it to the one that doesn't.

[that1guy15]

@wintermute000

That is correct. To clarify the NAT statement is called by the original tunnel for the original two entries and is still functioning. The new tunnel calls the same NAT statement but only for the new entry.

[routerdork]

So the reason I asked about code...back in the 8.1/8.2 days I ran into a bug where a change on a tunnel caused it to no longer put traffic across the tunnel until the ASA was reloaded 

[deanwebb]

So the reason I asked about code...back in the 8.1/8.2 days I ran into a bug where a change on a tunnel caused it to no longer put traffic across the tunnel until the ASA was reloaded 

Might want to give that a try, even though they're outage-averse.

[that1guy15]

TAC picked it up pretty quick. Its mostly me being stupid with how ASAs do tunnels.

Two things:

1) NAT Exemption was not in place for the new traffic flow so the default NAT was being used. I was under the impression the default NAT was checked last after everything. But I guess it goes first. OK...

2) It was mentioned earlier in the thread. Interesting traffic being matched via ACL overlapped with the original tunnel so it would not stand up the new tunnel. I assumed since it matched different ACEs of the ACL it would differentiate between the two. I assumed wrong.

So working with the other end I have two options to move forward. Update the original tunnel with a secondary tunnel destination and have them kill the old tunnel on their end, or remove the old tunnel completely on my side and stand up the new tunnel.

It looks like that1guy needs to spend some time and get alot more familiar with the ASA line.