This was the part that I was missing in my config. You then have the option to specifically define that you would like to change that and use route lookup. In routed mode with an optional interface configured, with 8.4.2 or higher, if you configure identity NAT for VPN access, default behavior will be for ASA to use NAT configuration in egress interface search. It is not always found using routing table lookup as you might think but sometimes, in some particular cases, it uses NAT rule. Issue with this configuration is in that Cisco changed how ASA determines egress interface of a packet. My NAT rule (identity NAT) that is basically saying to translate VPN pool addresses to themselves when going back into VPN tunnel, was configured like this: nat (inside,outside) source static LAN LAN destination static VPN_POOL VPN_POOL
The thing that I didn’t know was the change in traffic forwarding and egress interface search process that was changed in ASA after 8.3.1 version and then once more in 8.4.2 I, of course, configured management access inside: management-access insideĪnd also same configuration that enables traffic forwarding between interfaces with same security level number: same-security-traffic permit intra-interface I wasn’t able to connect with SSH nor with ASDM. When connected remotely using Cisco An圜onnect I was able to access all devices inside the network (inside ASA firewall), but not the ASA itself. This is what I found out about ASA packet processing.Ĭonfiguration was really straightforward and everything worked fine except one thing. It seems that all those stories about changes in the NAT logic after that version were true.
I was implementing a new ASA Firewall solution, first time for me with software newer than version 8.4.2
0 kommentar(er)
