Thanks everybody for the feedback. I understand what's happening now.
On Thu, Jun 20, 2013 at 12:33 AM, Samarth Chidanand <[email protected]>wrote: > Yeah…You got that right Mike… Best to have specific Auto NAT’s to avoid > asymmetric matches/RPF failures. **** > > ** ** > > ** ** > > Samarth Chidanand**** > > Vice President of Technical Training – IPexpert India Inc**** > > CCIE #18535 (R&S, Security)**** > > CCSI #34585**** > > ** ** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mike Rojas > *Sent:* Thursday, June 20, 2013 8:59 AM > *To:* Joe Astorino; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] 8.4 VPN Hairpin**** > > ** ** > > Joe; > > (Stupid Outlook sorry for the previous e-mail) > > object network obj_any > nat (any,outside) dynamic interface > > Lets say that the VPN client goes out being Natted to the interface IP, > everything is good, BUT, the reply packet from the source on the internet, > will ALSO try to hit the same NAT because the object contains any on it. > > With this object**** > > object network obj-192.168.50.0**** > > nat (outside,outside) dynamic interface > > You are saying ONLY if the VPN subnet is comming on the outside NAT the > host to the interface, the reply from the internet wont hit this because > you are defining the VPN subnet on the object, hence wont be Natted and No > RPF check should occur. > > Is the same error as 8.2 remember "Asymmetric NAT rules match for reverse > and forward flows" because you will try to reach an IP and then, the reply, > since the first object contains any, will try to NAT the internet IP as > well returning the RPF. > > Hope it helps. > > Mike **** > ------------------------------ > > From: [email protected] > Date: Wed, 19 Jun 2013 21:31:17 -0400 > To: [email protected] > Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin**** > > Anybody? Really interested to know the answer. I have read everything I > can find on the topic.**** > > > Sent from my iPhone**** > > > On Jun 19, 2013, at 9:42 AM, Joe Astorino <[email protected]> > wrote:**** > > So another NAT question with 8.4 code. Say you have RA VPN configured > such that the VPN pool is 192.168.50.0/24. You wish to configure > hairpinning so that VPN users can access the internet off the ASA. **** > > I figured hey...I need to PAT for inside --> outside, DMZ --> outside as > well as VPN outside --> outside so why not use "any" and be super > efficient!?? > **** > > > object network obj_any > nat (any,outside) dynamic interface**** > > When connected to VPN and attempting to ping an internet address this > fails due to rpf-check on the packet-tracer output. Packet tracer shows > these steps > > Phase: 8 > Type: NAT > Subtype: > Result: ALLOW > Config: > object network obj_any > nat (any,outside) dynamic interface > Additional Information: > Dynamic translate 192.168.50.50/0 to 50.198.34.193/52258 > > Phase: 9 > Type: NAT > Subtype: rpf-check > Result: DROP > Config: > object network obj_any > nat (any,outside) dynamic interface > Additional Information: > > > I suppose what this is saying is that the nat (any,outside) bit would > probably get hit again for the return traffic, thus trying to PAT the > return traffic to the outside interface. > > If I do this it works: > > object network obj_any > nat (inside,outside) dynamic interface > !**** > > object network obj-192.168.50.0**** > > nat (outside,outside) dynamic interface > > **** > > I know this works, but I don't understand why the first option doesn't > work. With the first configuration I expect:**** > > - packet comes in from the VPN on the outside interface and will be > hairpin routed back out the same interface**** > > - The nat (any,outside) rule matches as the ingress interface "any" should > match the outside**** > > - dynamic PAT is done such that the source is translated to the outside > interface IP**** > > - xlate is created**** > > - When the return traffic comes back, it should see the xlate table and > translate things back. **** > > So I guess it comes down to the return traffic. Why would the return > traffic hit the nat (any,outside) rule and not just be unnatted going back > to where it came from based on the xlate table.**** > > Thanks for any help**** > > ** ** > > ** ** > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan**** > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
