Vyos source NAT is not working correctly

snat

#1

Hello
I have temporal scheme for one customer, which requires secure access from the main company network via IPSEC.
IPSEC is done with Cisco ASA. It is working fine.
One thing Vyos is not NATing internal network outside.
Hence no Internet provided to internal network.

Suprisingly, from the vyos itself the Internet is reachable.
Can you please review the configuration to show me where I did wrong. However, talking about NAT solely looks pretty simple and straightforward.

Configuration:

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN-IN {
        default-action accept
        rule 10 {
            action accept
        }
    }
    name LAN-OUT {
        default-action accept
        rule 10 {
            action accept
        }
    }
    name TO-LAN-IPV4 {
        default-action drop
        rule 50 {
            action accept
            description "Allow traffic from site-to-site VPN"
            destination {
                address 192.168.88.0/24
            }
            source {
                address 172.29.131.0/24
            }
        }
    }
    name TO-ROUTER-IPV4 {
        default-action drop
        rule 50 {
            action accept
            description "Allow ISAKMP"
            destination {
                port 500
            }
            protocol udp
        }
        rule 51 {
            action accept
            description "Allow ESP"
            protocol esp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 192.168.0.97/24
        description WAN
        duplex auto
        firewall {
            out {
                name LAN-OUT
            }
        }
        hw-id 08:00:27:41:8f:38
        mtu 1300
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.88.1/24
        description Inside
        duplex auto
        firewall {
            out {
                name LAN-IN
            }
        }
        hw-id 08:00:27:27:52:10
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
nat {
     source {
        rule 10 {
            description "NAT Exclude traffic over site-to-site VPN"
            destination {
                address 172.29.131.0/24
            }
            exclude
            log enable
            outbound-interface eth0
            source {
                address 192.168.88.0/24
            }
        }
        rule 30 {
            destination {
                address 0.0.0.0/0
            }
            log enable
            outbound-interface eth0
            source {
                address 192.168.88.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.0.1 {
            }
        }
      }
}
service {
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ****************
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 28800
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group IKE-1W {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-traversal enable
        site-to-site {
            peer XX.YY.ZZ.YY {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group ESP-1W
                ike-group IKE-1W
                ikev2-reauth inherit
                local-address 192.168.0.97
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local {
                        prefix 192.168.88.0/24
                    }
                    remote {
                        prefix 172.29.131.0/24
                    }
                }
            }
        }
    }
}

#2

I see nat rule 30 that do masaqarading to eth0 so not sure what you mean under ¨VyOS not NATing¨