ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

8.4 VPN/NAT problem

Thu Apr 26, 2012 1:21 pm

I recently upgraded an ASA to 8.4. Since then the new NAT has decided to do some funky things, and I'm not sure how to sort this out...

I have a user on the inside who uses the Cisco VPN client to connect to a VPN server on the Interwebs. When this VPN is established the external users who want to VPN into this site via the ASA cannot connect. The ASA thinks the inbound UDP 500 traffic is for the client on the inside of the network and it trying to "untranslate" the traffic, instead of recognizing that the traffic is destined for itself.

I have an outbound nat statement like so:

Code: Select all
object network obj_any
 nat (inside,outside) dynamic interface


The internal host has their VPN up

Code: Select all
ciscoasa-hq(config)# sh conn | grep 192.168.101.21:
UDP outside 64.42.233.65:10000 inside 192.168.101.21:10000, idle 0:00:00, bytes 7209, flags -
UDP outside 64.42.233.65:500 inside 192.168.101.21:500, idle 0:00:10, bytes 4865, flags -


And here's a packet tracer showing the inbound traffic being routed to my internal host instead (and eventually dropped becuase of an ACL) of being processed by the ASA

Code: Select all
ciscoasa-hq#  packet-tracer input outside udp 173.182.126.47 12345 216.123.238.126 500

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: dynamic
Result: ALLOW
Config:
object network obj_any
 nat (inside,outside) dynamic interface
Additional Information:
NAT divert to egress interface inside
Untranslate 216.123.238.126/500 to 192.168.101.21/500

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

User avatar
mlan
Ultimate Member
Posts:
792
Joined:
Thu Nov 17, 2011 6:09 pm

Re: 8.4 VPN/NAT problem

Thu Apr 26, 2012 1:59 pm

That is bizarre. I take it that dynamic interface NAT is the only option in this case? We have ran into problems with the 8.4 changes to identity NAT and proxy-arp, but I don't think that applies here. I don't understand why the ASA is not recognizing the new connection as ipsec/isakmp on it's own interface.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: 8.4 VPN/NAT problem

Thu Apr 26, 2012 3:39 pm


User avatar
ibarrere
Cisco Inferno
Posts:
10278
Joined:
Mon Jul 10, 2006 12:58 am

Re: 8.4 VPN/NAT problem

Thu Apr 26, 2012 7:28 pm

Weird problem indeed. I love the workaround. :lol:

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: 8.4 VPN/NAT problem

Thu Apr 26, 2012 7:40 pm

Actually that wasn't it. Close, but not quite. I think it is a bug though...

Mobile Post

User avatar
mlan
Ultimate Member
Posts:
792
Joined:
Thu Nov 17, 2011 6:09 pm

Re: 8.4 VPN/NAT problem

Fri Apr 27, 2012 10:56 am

Infinite wrote:Actually that wasn't it. Close, but not quite. I think it is a bug though...

Mobile Post


I hope it's a bug, otherwise it's a really bad programming decision. Please post what you find.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: 8.4 VPN/NAT problem

Tue May 22, 2012 9:13 am

TAC finally got me an answer. They say it's the bug I thought it was

http://tools.cisco.com/Support/BugToolK ... CSCtl74435

I've asked them why the 8.4(3) I'm running, that's newer than the supposed fixed versions, still has the problem.

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: 8.4 VPN/NAT problem

Mon May 28, 2012 2:35 pm

Hello Jason,

I hope you are doing fine.
In the link of the bug that I sent you, you may find the versions where this bug is fixed already, meaning that the bug will not appear there, and sometimes this changes apply for older versions, if there’s not an upper version the best way to proceed perhaps will be doing a downgrade, but that of course depends on you and your customer.
On the other hand, you can apply the workaround for that bug on this ASA and that will fix the actual problem you may have. After that you may analyze the possibility of doing a downgrade, depending on your customer’s needs and requirements.

Please let me know if you have more questions or doubts.

Thank you very much and have a great day.

Best regards,

<TAC Technician name removed to protect the innocent>


Ok... So the "workaround" I put in is now the "fix" and if I want a real fix then I have to downgrade...

'

Return to Cisco Security

Who is online

Users browsing this forum: Google Feedfetcher, soreilly and 25 guests