Yeah.You got that right Mike. Best to have specific Auto NAT's to avoid asymmetric matches/RPF failures.
Samarth Chidanand Vice President of Technical Training - IPexpert India Inc CCIE #18535 (R&S, Security) CCSI #34585 From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Thursday, June 20, 2013 8:59 AM To: Joe Astorino; [email protected] Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin Joe; (Stupid Outlook sorry for the previous e-mail) object network obj_any nat (any,outside) dynamic interface Lets say that the VPN client goes out being Natted to the interface IP, everything is good, BUT, the reply packet from the source on the internet, will ALSO try to hit the same NAT because the object contains any on it. With this object object network obj-192.168.50.0 nat (outside,outside) dynamic interface You are saying ONLY if the VPN subnet is comming on the outside NAT the host to the interface, the reply from the internet wont hit this because you are defining the VPN subnet on the object, hence wont be Natted and No RPF check should occur. Is the same error as 8.2 remember "Asymmetric NAT rules match for reverse and forward flows" because you will try to reach an IP and then, the reply, since the first object contains any, will try to NAT the internet IP as well returning the RPF. Hope it helps. Mike _____ From: [email protected] Date: Wed, 19 Jun 2013 21:31:17 -0400 To: [email protected] Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin Anybody? Really interested to know the answer. I have read everything I can find on the topic. Sent from my iPhone On Jun 19, 2013, at 9:42 AM, Joe Astorino <[email protected]> wrote: So another NAT question with 8.4 code. Say you have RA VPN configured such that the VPN pool is 192.168.50.0/24. You wish to configure hairpinning so that VPN users can access the internet off the ASA. I figured hey...I need to PAT for inside --> outside, DMZ --> outside as well as VPN outside --> outside so why not use "any" and be super efficient!?? object network obj_any nat (any,outside) dynamic interface When connected to VPN and attempting to ping an internet address this fails due to rpf-check on the packet-tracer output. Packet tracer shows these steps Phase: 8 Type: NAT Subtype: Result: ALLOW Config: object network obj_any nat (any,outside) dynamic interface Additional Information: Dynamic translate 192.168.50.50/0 to 50.198.34.193/52258 Phase: 9 Type: NAT Subtype: rpf-check Result: DROP Config: object network obj_any nat (any,outside) dynamic interface Additional Information: I suppose what this is saying is that the nat (any,outside) bit would probably get hit again for the return traffic, thus trying to PAT the return traffic to the outside interface. If I do this it works: object network obj_any nat (inside,outside) dynamic interface ! object network obj-192.168.50.0 nat (outside,outside) dynamic interface I know this works, but I don't understand why the first option doesn't work. With the first configuration I expect: - packet comes in from the VPN on the outside interface and will be hairpin routed back out the same interface - The nat (any,outside) rule matches as the ingress interface "any" should match the outside - dynamic PAT is done such that the source is translated to the outside interface IP - xlate is created - When the return traffic comes back, it should see the xlate table and translate things back. So I guess it comes down to the return traffic. Why would the return traffic hit the nat (any,outside) rule and not just be unnatted going back to where it came from based on the xlate table. Thanks for any help -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
