I recently upgraded an ASA to 8.4. Since then the new NAT has decided to do some funky things, and I'm not sure how to sort this out...
I have a user on the inside who uses the Cisco VPN client to connect to a VPN server on the Interwebs. When this VPN is established the external users who want to VPN into this site via the ASA cannot connect. The ASA thinks the inbound UDP 500 traffic is for the client on the inside of the network and it trying to "untranslate" the traffic, instead of recognizing that the traffic is destined for itself.
I have an outbound nat statement like so:
Code:
object network obj_any
nat (inside,outside) dynamic interface
The internal host has their VPN up
Code:
ciscoasa-hq(config)# sh conn | grep 192.168.101.21:
UDP outside 64.42.233.65:10000 inside 192.168.101.21:10000, idle 0:00:00, bytes 7209, flags -
UDP outside 64.42.233.65:500 inside 192.168.101.21:500, idle 0:00:10, bytes 4865, flags -
And here's a packet tracer showing the inbound traffic being routed to my internal host instead (and eventually dropped becuase of an ACL) of being processed by the ASA
Code:
ciscoasa-hq# packet-tracer input outside udp 173.182.126.47 12345 216.123.238.126 500
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: dynamic
Result: ALLOW
Config:
object network obj_any
nat (inside,outside) dynamic interface
Additional Information:
NAT divert to egress interface inside
Untranslate 216.123.238.126/500 to 192.168.101.21/500
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Register
Search 
Login
