https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082584#M1070046 <P>I have sent you private message with config.</P><P>&nbsp;</P><P>Here is the config i need to add for IPSEC connection</P><P>&nbsp;</P><P>crypto isakmp policy 20</P><P>authentication pre-share</P><P>encryption aes-256</P><P>hash sha</P><P>group 2</P><P>lifetime 3600</P><P>&nbsp;</P><P>crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac</P><P>&nbsp;</P><P>tunnel-group 172.24.32.115 type ipsec-l2l</P><P>tunnel-group 172.24.32.115 ipsec-attributes</P><P>pre-shared-key xxxxxx</P><P>&nbsp;</P><P>access-list LAN_Traffic extended permit icmp&nbsp; 10.0.0.0 255.0.0.0&nbsp; 10.70.160.0 255.255.255.248&nbsp; echo log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log</P><P>access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log</P><P>access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log</P><P>&nbsp;</P><P>&nbsp;</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 80 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 80 log</P><P>access-list LAN_Traffic extended permit udp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit udp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended deny ip any any log</P><P>&nbsp;</P><P>crypto map VPNCMAP&nbsp; 20 match address LAN_Traffic</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>crypto map VPNCMAP&nbsp; 20 set peer 172.24.32.115</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;</P><P>crypto map VPNCMAP 20 set transform-set L2L</P><P>&nbsp;</P><P>access-list NAT_EXEMPT extended permit ip 10.96.96.0 255.255.255.0 10.70.160.248<BR />nat (inside) 0 access-list NAT_EXEMPT</P><P>&nbsp;</P> Sat, 09 May 2020 18:38:21 GMT mahesh18 2020-05-09T18:38:21Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4081994#M1070005 <P>&nbsp;</P><P>We have this nat for vpn users&nbsp;</P><P>&nbsp;</P><P>nat (inside) 0 access-list nonat_pool&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; --------------------current nat&nbsp; for vpn&nbsp;</P><P>&nbsp;</P><P>Also i need IPsec connection for vendor traffic where we do not want nat inside traffic&nbsp;</P><P>&nbsp;</P><P>ASA&nbsp; 8.2</P><P>&nbsp;</P><P>nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel</P><P>&nbsp;</P><P>How will this work?</P><P>Do it has to be in certain order?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 May 2020 13:49:50 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4081994#M1070005 mahesh18 2020-05-08T13:49:50Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082066#M1070010 <P>nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel</P> <P>&nbsp;</P> <P>mean you doing a NAT Exemption. as you running 8.2 which is EOL so if i convert it to 8.3 post. its command will be like this.</P> <PRE>object network INSIDE subnet 1.1.1.0 255.255.0.0 object network OUTSIDE subnet 2.2.2.0 255.255.0.0 nat (inside,outside) source static INSIDE INSIDE destination static OUTSIDE OUTSIDE</PRE> <P>so ideally it should work. have a change control in place if you need to revert back.</P> Fri, 08 May 2020 15:02:19 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082066#M1070010 Sheraz.Salim 2020-05-08T15:02:19Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082103#M1070013 <P>Thanks for replying.</P><P>So if i use NAT exempt for inside interface for two different configs it should work right?</P><P>&nbsp;</P><P>Does it has to be in any order?</P> Fri, 08 May 2020 15:49:35 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082103#M1070013 mahesh18 2020-05-08T15:49:35Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082117#M1070015 <P>Is this change is for the existing vpn tunnel peer or a new vpn tunnel peer?</P> Fri, 08 May 2020 16:09:02 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082117#M1070015 Sheraz.Salim 2020-05-08T16:09:02Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082139#M1070017 <P>currently we have VPN working and using&nbsp; below nat</P><P>&nbsp;</P><P><SPAN>nat (inside) 0 access-list nonat_pool&nbsp;&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Now for IPSEC i need to add this nat&nbsp;</SPAN></P><P><SPAN>nat (inside) 0 access-list NAT_EXEMPT&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>so if i add above nat config will vpn users connection will still work?</SPAN></P> Fri, 08 May 2020 17:09:37 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082139#M1070017 mahesh18 2020-05-08T17:09:37Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082436#M1070029 <P>share your firewall config please in order to give you correct advise.</P> Sat, 09 May 2020 08:34:37 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082436#M1070029 Sheraz.Salim 2020-05-09T08:34:37Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082584#M1070046 <P>I have sent you private message with config.</P><P>&nbsp;</P><P>Here is the config i need to add for IPSEC connection</P><P>&nbsp;</P><P>crypto isakmp policy 20</P><P>authentication pre-share</P><P>encryption aes-256</P><P>hash sha</P><P>group 2</P><P>lifetime 3600</P><P>&nbsp;</P><P>crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac</P><P>&nbsp;</P><P>tunnel-group 172.24.32.115 type ipsec-l2l</P><P>tunnel-group 172.24.32.115 ipsec-attributes</P><P>pre-shared-key xxxxxx</P><P>&nbsp;</P><P>access-list LAN_Traffic extended permit icmp&nbsp; 10.0.0.0 255.0.0.0&nbsp; 10.70.160.0 255.255.255.248&nbsp; echo log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log</P><P>access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log</P><P>access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log</P><P>&nbsp;</P><P>&nbsp;</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 80 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 80 log</P><P>access-list LAN_Traffic extended permit udp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit udp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.2&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended permit tcp host 10.70.160.3&nbsp; 10.96.96.0 255.255.255.0 eq 554 log</P><P>access-list LAN_Traffic extended deny ip any any log</P><P>&nbsp;</P><P>crypto map VPNCMAP&nbsp; 20 match address LAN_Traffic</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P>crypto map VPNCMAP&nbsp; 20 set peer 172.24.32.115</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;</P><P>crypto map VPNCMAP 20 set transform-set L2L</P><P>&nbsp;</P><P>access-list NAT_EXEMPT extended permit ip 10.96.96.0 255.255.255.0 10.70.160.248<BR />nat (inside) 0 access-list NAT_EXEMPT</P><P>&nbsp;</P> Sat, 09 May 2020 18:38:21 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082584#M1070046 mahesh18 2020-05-09T18:38:21Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082746#M1070059 <P>here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?</P> <P>if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command <STRONG>sysopt connection permit-vpn"</STRONG> <SPAN class="ILfuVd NA6bn"><SPAN class="e24Kjd">Configure the <STRONG>sysopt connection permit</STRONG>-<STRONG>vpn</STRONG> command, which exempts traffic that matches the <STRONG>VPN connection</STRONG> from the access control policy. ... This is the more secure method to allow traffic in the <STRONG>VPN</STRONG> because external users cannot spoof IP addresses in the remote access <STRONG>VPN</STRONG> address pool.</SPAN></SPAN></P> <P>&nbsp;</P> <PRE>crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 3600 ! crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac ! tunnel-group 172.24.32.115 type ipsec-l2l tunnel-group 172.24.32.115 ipsec-attributes pre-shared-key xxxxxx ! access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3 ! nat (inside) 0 access-list LAN_Traffic crypto map VPNCMAP 20 match address LAN_Traffic crypto map VPNCMAP 20 set peer 172.24.32.115 crypto map VPNCMAP 20 set transform-set L2L ! </PRE> Sun, 10 May 2020 09:09:18 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4082746#M1070059 Sheraz.Salim 2020-05-10T09:09:18Z https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4083621#M1070099 <P>&nbsp;</P><P>Thanks a lot for answering all the queries here.</P><P>Will do this change soon.</P><P>&nbsp;</P><P>Appreciate your&nbsp; help on this.</P> Mon, 11 May 2020 21:39:43 GMT https://community.cisco.com/t5/network-security/zero-nat-on-inside-interface/m-p/4083621#M1070099 mahesh18 2020-05-11T21:39:43Z