Can someone explain why the first NAT config below gives me an "asymmetric NAT rules" (RPF) error for the connection to "VPN1" while the second (no "any" in the Manual NAT) makes the automatic NAT actually work?
Automatic NAT (section 2) not working ("asymmetric NAT"):
nat (Transit,Internet) source dynamic FW1 interface
!
object network FW1
host 172.1.2.3
object network VPN1
nat (Main,Internet) static interface service udp 1194 1195
!
...
This seems to work ok: (explicit destination set for manual NAT in section 1)
nat (Transit,Internet) source dynamic FW1 interface destination static DM_INLINE_NETWORK_51 DM_INLINE_NETWORK_51
!
object network FW1
host 172.1.2.3
object network VPN1
nat (Main,Internet) static interface service udp 1194 1195
!
...
Why does this make a difference for the NAT of VPN1? I don't get it. There are different (source) interfaces involved, different source addresses obviously, so why would one prevent the other from working?
Best Answer
The difference between your two Manual NAT statements is one of them also looks for a match on the destination (or source on return or outside-originated traffic).
If you convert your NAT statements to 'layman' explanation, it will make more sense.
For example:
When the ASA finds traffic on the
Transit
interface that matches a source ofFW1
, send it to theInternet
interface and change the sourcedynamically
to theinterface
IP of theInternet
interface.When the ASA finds traffic on the
Transit
interface that matches a source ofFW1
and a destination ofDM_INLINE_NETWORK_51
, send it to theInternet
interface and change the sourcedynamically
to theinterface
IP of theInternet
interface and change the destinationstatically
toDM_INLINE_NETWORK_51
.The difference is crucial:
The second NAT statement only matches when
FW1
is speaking toDM_INLINE_NETWORK_51
. The first NAT statement matches any timeFW1
is speaking.As a result, all your inbound traffic (ie: crossing interfaces
Internet
toTransit
) will have return traffic that matches your first NAT statement. Hence, the NAT is asymmetric -- the configuration treats the traffic coming inbound differently than it does on its way out (in so far as NAT).Remember, this is a Dynamic NAT (also known as a PAT), which by definition can only be unidirectional. Traffic will flow from inside to outside (or
Transit
toInternet
) but not the other way around.