ASA Tunnel not hitting the correct NAT

[EOS]

Thanks for posting the solution!!

[routerdork]

At least it wasn't the code 

[wintermute000]

#2 is good to know.
As for #1 I'm not understanding something - I thought about NAT exemption but in my mind, if you match the NAT exemption, you're... exempt. Hence no-nat, not even the default NAT.
If your NAT order was correct (as mentioned earlier) your static NAT should be hit before your default? (or am I too used to post 8.3 where static is before dynamic?)

[that1guy15]

This is 8.0 code... Yeah check  the packet tracer and you can see it never hits the right NAT. Once they where added to the NAT-exemption Phase 8 showed up as a NAT-EXEMPT and Phase 9 hit the proper NAT and Phase 10 was VPN.

Dude this cut went rough. Really shows I am not very strong with ASA VPNs.  First I was able to take an outage and pull down the old tunnel and setup the new one clean. But after dropping in the code no dice. Do a debug and see the SPIs dont match both sides. OK... Working with the other side I was using specific host when they where setup with a /28 for their side. So Phase 1 would complete but Phase 2 would terminate because there were no matching SPIs...

Cleaned that up and still no go. Other dude figured out I was setup for 3DES and he was AES. Corrected and we are MM_STATE and traffic is flowing.

Id love to see how to catch that out of the debugs. Im sure its pretty clear when you get the logs. Debug with IPSEC really are your best friend.

Im gonna go drink now...

[deanwebb]

I love IPSEC debugs. Some of the best error messages are in those. My favorite is "paranoid keepalives."

[that1guy15]

I love IPSEC debugs. Some of the best error messages are in those. My favorite is "paranoid keepalives."

I love all debugs. Some of my best CCIE study time was in the middle of debugs. I really wish I could run them in production more.

Also love me some packet captures.

[NetworkGroover]

Also love me some packet captures.

Amen.  If there's one thing that I learned long before Cisco realized the importance of it and added it to the CCIE track... it's that I am extremely thankful for, though hated it at the time, working in tech support staring at packet captures all day.  Learning Wireshark and how to analyze protocol communication and compare it with RFCs/other docs was probably one of the single most important skills I've ever learned.

It's amazing how something so simple can be so profound.  An example was where a customer was claiming their web proxy was slowing down the network, which was partially true, but not the proxy's fault.  What was the root issue?  Slow/inconsistent DNS responses.  I took a packet capture and created a simple I/O graph creating a filter showing DNS requests and DNS responses... you could EASILY see over time the missed queries.  Why?  Narrowed it down to the fact they were using an old DNS record by hostname instead of IP addresses (Which we at Websense always recommended IP addresses for a reason), and several IP addresses in that record were no longer functional.

Thank youuuuuuuuu Wireshark.

[wintermute000]

I'm still confused as to the NAT exemption. If you add something to NAT exemption, you are saying DO NOT NAT it. And it would show up in packet tracer.
How did adding the traffic you want to be NAT - to the 'DO NOT NAT" list - fix the issue?
And worse, how does your working traffic hit the NAT exemption, then hit another NAT rule after that?!??! confused....

[that1guy15]

Code Select Expand

nat (inside) 0 access-list inside_nat0_outbound


ACL is used to match traffic that should be excluded. I agree this seems very backwards. But this NAT is always checked first.

[wintermute000]

yes, so if you add it to this line, your traffic is NOT NAT. Its the same pre and post 8.3, except 8.3 is defined as explicit i.e. source same dest same.

I thought you DID want to source NAT through your VPN?