https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778564#M533089 <HTML><HEAD></HEAD><BODY><P>Here's a doc as well, PFA</P><P></P><P>-Varun</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Fri, 19 Aug 2011 13:05:31 GMT varrao 2011-08-19T13:05:31Z https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778562#M533083 <P>I'm running ASA software 8.4(2)</P><P></P><P>I've setup the anyconnect VPN system, and it works fine. However, it's NATing to the inside interface of the ASA. How do I do the NAT exclude ?</P><P></P><P>The docs say you *used* to do:</P><P></P><PRE>access-list no_nat permit ip 192.168.0.0 255.255.255.0 any</PRE><PRE>nat (inside) 0 access-list no_nat<BR /><BR /><SPAN style="font-family: arial,helvetica,sans-serif;">However, with the latest software, this isn't valid any more.</SPAN><BR /><SPAN style="font-family: arial,helvetica,sans-serif;">I tried:</SPAN><BR /><BR />object network SSLVPN<BR />&nbsp; subnet 192.168.0.0 255.255.255.0<BR /><P>nat (inside,any) source static SSLVPN SSLVPN no-proxy-arp</P><BR /></PRE><P>But my packets are still getting NATed.</P><P></P><P>Suggestions, please ?</P><P></P><P>Thanks,</P><P><BR />GTG</P> Mon, 11 Mar 2019 21:14:17 GMT https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778562#M533083 Gordon Ross 2019-03-11T21:14:17Z https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778563#M533087 <HTML><HEAD></HEAD><BODY><P>Hi Gordon,</P><P></P><P>You might wanna try this:</P><P></P><P>Lets you had the following nat statement in the previous code:</P><P></P><PRE>access-list SSLVPN permit ip 10.0.0.0 255.0.0.0 20.0.0. 255.0.0.0</PRE><PRE>nat (inside) 0 access-list SSLVPN</PRE><P></P><P>The new NAT would be:</P><P></P><P>object network internal_subnet</P><P>&nbsp; subnet 10.0.0.0 255.0.0.0</P><P></P><P></P><P>object network remote_network</P><P>&nbsp; subnet 20.0.0.0 255.0.0.0</P><P></P><P>nat (inside,outside) source static internal_subnet internal_subnet destination static remote_network remote_network</P><P></P><P>Hope this helps.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Fri, 19 Aug 2011 13:04:34 GMT https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778563#M533087 varrao 2011-08-19T13:04:34Z https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778564#M533089 <HTML><HEAD></HEAD><BODY><P>Here's a doc as well, PFA</P><P></P><P>-Varun</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Fri, 19 Aug 2011 13:05:31 GMT https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778564#M533089 varrao 2011-08-19T13:05:31Z https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778565#M533090 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">object network internal_subnet<P>&nbsp; subnet 10.0.0.0 255.0.0.0</P><P></P><P></P><P>object network remote_network</P><P>&nbsp; subnet 20.0.0.0 255.0.0.0</P><P></P><P>nat (inside,outside) source static internal_subnet internal_subnet destination static remote_network remote_network</P></PRE><P>So is the remote_subnet the ip pool subnet that the VPN clients are assigned by the ASA, and the internal_subnet the subnet the VPN clients want to access ?</P><P></P><P>GTG</P></BODY></HTML> Fri, 19 Aug 2011 13:10:10 GMT https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778565#M533090 Gordon Ross 2011-08-19T13:10:10Z https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778566#M533091 <HTML><HEAD></HEAD><BODY><P>Yes, absolutely, if you are doing remote access vpn.</P><P></P><P>Thanks,</P><P>Varun</P></BODY></HTML> Fri, 19 Aug 2011 13:15:25 GMT https://community.cisco.com/t5/network-security/asa-nat-exemption/m-p/1778566#M533091 varrao 2011-08-19T13:15:25Z