Route lookup wont work, it needs to be used in static nat. Do you have any other nat statement configured.
Sam Sent from Samsung Mobile -------- Original message -------- From: Joe Astorino <[email protected]> Date: 20/06/2013 07:01 (GMT+05:30) To: OSL Security <[email protected]> Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin Anybody? Really interested to know the answer. I have read everything I can find on the topic. Sent from my iPhone On Jun 19, 2013, at 9:42 AM, Joe Astorino <[email protected]> wrote: So another NAT question with 8.4 code. Say you have RA VPN configured such that the VPN pool is 192.168.50.0/24. You wish to configure hairpinning so that VPN users can access the internet off the ASA. I figured hey...I need to PAT for inside --> outside, DMZ --> outside as well as VPN outside --> outside so why not use "any" and be super efficient!?? object network obj_any nat (any,outside) dynamic interface When connected to VPN and attempting to ping an internet address this fails due to rpf-check on the packet-tracer output. Packet tracer shows these steps Phase: 8 Type: NAT Subtype: Result: ALLOW Config: object network obj_any nat (any,outside) dynamic interface Additional Information: Dynamic translate 192.168.50.50/0 to 50.198.34.193/52258 Phase: 9 Type: NAT Subtype: rpf-check Result: DROP Config: object network obj_any nat (any,outside) dynamic interface Additional Information: I suppose what this is saying is that the nat (any,outside) bit would probably get hit again for the return traffic, thus trying to PAT the return traffic to the outside interface. If I do this it works: object network obj_any nat (inside,outside) dynamic interface ! object network obj-192.168.50.0 nat (outside,outside) dynamic interface I know this works, but I don't understand why the first option doesn't work. With the first configuration I expect: - packet comes in from the VPN on the outside interface and will be hairpin routed back out the same interface - The nat (any,outside) rule matches as the ingress interface "any" should match the outside - dynamic PAT is done such that the source is translated to the outside interface IP - xlate is created - When the return traffic comes back, it should see the xlate table and translate things back. So I guess it comes down to the return traffic. Why would the return traffic hit the nat (any,outside) rule and not just be unnatted going back to where it came from based on the xlate table. Thanks for any help -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
