ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
hurricane2k3
New Member
Posts:
1
Joined:
Mon Nov 21, 2016 4:50 am
Certs:
CCNP R&S, MCSA: Server 2012

NAT issues

Mon Nov 21, 2016 5:19 am

Hi all, first time poster.

I'm setting up new network in a new building and have come across a bit of an issue. The firewall in question is a Cisco ASA 5516x version 9.6

I've set up a site to site VPN with the clients firewall and I can access the remote subnet's and vice versa however with the site to site VPN connected and the NAT exemption rule in place I'm unable to access some websites for example Google, Youtube and BBC but Facebook, Twitter and Bing all load without any issues. Below are 2 links from running packet tracer, one to facebook that works and the other to google that fails.

Image

Image

Having checked further back in the packet tracer facebook is hitting my standard NAT rule and sending the traffic correctly out the outside interface however the websites that don't work like google is hitting the NAT rule for the VPN and sending traffic down the VPN which is then getting dropped when it hits the other side of the VPN.

I have 1 static route setup of:

Code: Select all
0.0.0.0 0.0.0.0 194.x.x.x


And these are the only 2 NAT rules configured

Code: Select all
nat (any,any) source static inside-subnet inside-subnet destination static DataCenter DataCenter no-proxy-arp
nat (any,outside) source dynamic inside-subnet interface


If any more info is needed I can provide it, and if anyone can help it will be greatly appreciated. :bowdown:

Thanks

hubertzw
New Member
Posts:
8
Joined:
Tue Jan 11, 2011 9:05 am

Re: NAT issues

Thu Dec 22, 2016 5:44 pm

Hi,

can you show encryption domain of that VPN because in the 2nd example the packet is dropped by VPN, no NAT

Hubert

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 56 guests