Feb 8, 2013

NAT Exemption for intra-interface traffic

Both sites A and B have IPsec L2L tunnels to HQ ASA. Remote users send traffic to the Web through the VPN tunnels and also communicate with each other.

HQ ASA has dynamic PAT rules to translate traffic coming from remote sites using the outside interface IP address before routing the traffic to the Web. It is also configured to allow intra-interface traffic:


nat (outside) 1 10.2.2.0 255.255.255.0
nat (outside) 1 10.3.3.0 255.255.255.0
nat (inside) 1 0 0
global (outside) 1 interface
same-security-traffic permit intra-interface


For traffic coming from a higher security level interface to a lower one (outbound traffic), you don't need to create a rule to exempt returning traffic from NAT:

Source: 172.16.1.0/24 (inside)
Destination: 10.2.2.0/24 (outside)

access-list inside-nonat permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (inside) 0 access-list inside-nonat

However, if source and destination are routed through the same interface, you need to create two ACEs, otherwise returning traffic would match the PAT rule:


access-list outside-nonat permit ip 10.2.2.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside-nonat permit ip 10.3.3.0 255.255.255.0 10.2.2.0 255.255.255.0
nat (outside) 0 access-list outside-nonat

If you miss the second ACE in the outside nonat ACL, the following log is seen:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.2.2.2 dst outside:10.3.3.2 (type 8, code 0) denied due to NAT reverse path failure

ASA# packet-tracer input outside icmp 10.2.2.2 8 0 10.3.3.2 det
[...]
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
  match ip outside 10.2.2.0 255.255.255.0 outside 10.3.3.0 255.255.255.0
    NAT exempt
    translate_hits = 6, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x33d8428, priority=6, domain=nat-exempt, deny=false
        hits=5, user_data=0x33d8388, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=10.2.2.0, mask=255.255.255.0, port=0
        dst ip=10.3.3.0, mask=255.255.255.0, port=0, dscp=0x0
[...]
Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 1 10.3.3.0 255.255.255.0
  match ip outside 10.3.3.0 255.255.255.0 outside any
    dynamic translation to pool 1 (192.0.2.1 [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x33d8a60, priority=1, domain=nat-reverse, deny=false
        hits=5, user_data=0x33d8870, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.3.3.0, mask=255.255.255.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Once you have the second ACE created, everything works fine:


%ASA-6-302020: Built inbound ICMP connection for faddr 10.2.2.2/6 gaddr 10.3.3.2/0 laddr 10.3.3.2/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.2.2.2/6 gaddr 10.3.3.2/0 laddr 10.3.3.2/0

4 comments: