topic I will do that also when I in Network Security

NAT config for IPSEC L2L tunnel

mahesh18 — Tue, 12 Mar 2019 07:21:49 GMT

Hi Everyone,

I have configured 5 ipsec l2l tunnels on ASA outside interface and need to know for NAT what config i should do on the ASA?

I have ACL configured for interesting traffic and also NAT- T disable under crypto map.

Do i still need any nat config for VPN traffic?

Regards

Mahesh

If you have dynamic NAT or

Marius Gunnerud — Sat, 20 Feb 2016 21:08:24 GMT

If you have dynamic NAT or any other NAT statements on the ASA that match the interesting traffic, then yes you will need identity NAT (NAT exempt) statements on the ASA. They will look something like the following:

object network LOCAL_LAN

subnet 10.10.1.0 255.255.255.0

object network REMOTE_LAN

subnet 11.11.1.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

You would need to do something similar for each site to site VPN you have configured. You can ofcourse reuse your LOCAL_LAN object.

Please remember to select a correct answer and rate helpful posts

i checked the nat statement

mahesh18 — Sun, 21 Feb 2016 01:56:24 GMT

i checked the nat statement for interesting traffic means source lan subnet and destination subnet found

none.

i only found there network object groups but no NAT statements or config as you mentioned in the above

post.

So how the traffic is flowing without any NAT config for interesting traffic subnet?

Is the ASA the gateway for

Marius Gunnerud — Sun, 21 Feb 2016 20:38:15 GMT

Is the ASA the gateway for internet traffic for you local LAN? Are there any NAT statement at all configured on the ASA?

Please remember to select a correct answer and rate helpful posts

Yes ASA has few nat

mahesh18 — Sun, 21 Feb 2016 20:44:23 GMT

Yes ASA has few nat statements.

No ASA is not gateway for internet traffic.

Then there should be no need

Marius Gunnerud — Sun, 21 Feb 2016 20:47:43 GMT

Then there should be no need for NAT statements for this VPN traffic. However you need to double check to make sure that none of the NAT statements match the interesting traffic for your VPN tunnel.

Please remember to select a correct answer and rate helpful posts

I will do that also when I

mahesh18 — Sun, 21 Feb 2016 20:59:18 GMT

I will do that also when I run command show nat

I see no hits on translate and untranslate this confirms that currently only vpn

traffic is flowing via asa right?

I would assume so. But does

Marius Gunnerud — Sun, 21 Feb 2016 21:02:34 GMT

I would assume so. But does not hurt to double check.

Please remember to select a correct answer and rate helpful posts

Many thanks Marius for

mahesh18 — Sun, 21 Feb 2016 21:13:04 GMT

Many thanks Marius for replying to my questions and giving me right directions

from last two days.

Best Regards

Mahesh