For you second obj-192..., what is the second line effectively for that object? Subnet 192.....?
If so, it has the same effect as a nonat. The first one (in,out) is like a dynamic pat overload. I didn't respond earlier as I didn't see the full detail, but since you called is out, I'll stick my neck out there. ;) Regards, Jay McMickle- 2x CCIE #35355 (R/S,Sec) Sent from my iPhone 5 On Jun 19, 2013, at 8:31 PM, Joe Astorino <[email protected]> wrote: > Anybody? Really interested to know the answer. I have read everything I can > find on the topic. > > Sent from my iPhone > > On Jun 19, 2013, at 9:42 AM, Joe Astorino <[email protected]> wrote: > >> So another NAT question with 8.4 code. Say you have RA VPN configured such >> that the VPN pool is 192.168.50.0/24. You wish to configure hairpinning so >> that VPN users can access the internet off the ASA. >> >> I figured hey...I need to PAT for inside --> outside, DMZ --> outside as >> well as VPN outside --> outside so why not use "any" and be super >> efficient!?? >> >> object network obj_any >> nat (any,outside) dynamic interface >> >> When connected to VPN and attempting to ping an internet address this fails >> due to rpf-check on the packet-tracer output. Packet tracer shows these >> steps >> >> Phase: 8 >> Type: NAT >> Subtype: >> Result: ALLOW >> Config: >> object network obj_any >> nat (any,outside) dynamic interface >> Additional Information: >> Dynamic translate 192.168.50.50/0 to 50.198.34.193/52258 >> >> Phase: 9 >> Type: NAT >> Subtype: rpf-check >> Result: DROP >> Config: >> object network obj_any >> nat (any,outside) dynamic interface >> Additional Information: >> >> >> I suppose what this is saying is that the nat (any,outside) bit would >> probably get hit again for the return traffic, thus trying to PAT the return >> traffic to the outside interface. >> >> If I do this it works: >> >> object network obj_any >> nat (inside,outside) dynamic interface >> ! >> object network obj-192.168.50.0 >> nat (outside,outside) dynamic interface >> >> >> I know this works, but I don't understand why the first option doesn't work. >> With the first configuration I expect: >> >> - packet comes in from the VPN on the outside interface and will be hairpin >> routed back out the same interface >> >> - The nat (any,outside) rule matches as the ingress interface "any" should >> match the outside >> - dynamic PAT is done such that the source is translated to the outside >> interface IP >> - xlate is created >> >> - When the return traffic comes back, it should see the xlate table and >> translate things back. >> >> So I guess it comes down to the return traffic. Why would the return >> traffic hit the nat (any,outside) rule and not just be unnatted going back >> to where it came from based on the xlate table. >> >> Thanks for any help >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
