Monday, February 18, 2013

Cisco ASA: Problem With Return NAT Traffic Across VPN

I found this problem very interesting today. Take a look at the packet captures below.  The first capture image is taffic going across a VPN to a test remote site.  The second capture image is traffic coming back to the main site.  We were NAT'ing this traffic to a public IP address, and sending from an internal IP of  Notice that when the ICMP packet returns, it is destined back to a different address (  Its very interesting.
Packet going across to remote site:

Traffic coming back across the VPN to the main site:

So, what caused this?  Well, I thought it was some NAT issue, but as it turns out, it turned out that I needed to add a statement under the global policy.
policy-map global_policy
 class inspection_default

  inspect icmp  

Once I put the 'inspect icmp' command in, the NAT came back correct.  However, as it turns out, the regular data did NAT appropriately.  

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.