cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
509
Views
0
Helpful
2
Replies

Can someone help me understand the proper way to do NAT exemption rules with multiple L2L VPN Tunnels?

Evan Roggenkamp
Level 1
Level 1

I am trying to figure out how multiple NAT rules configured may be causing our VPN tunnels to malfunction. 

Basically what we have done is for each L2L tunnel, for a NAT exemption, we create a NAT rule like so:

nat (ServerDMZ,Outside) source static ServerDMZ ServerDMZ destination static SITE1_LAN SITE1_LAN no-proxy-arp route-lookup desc OFFICE1 NO NAT
nat (ServerDMZ,Outside) source static ServerDMZ ServerDMZ destination static SITE2_LAN SITE2_LAN no-proxy-arp route-lookup desc OFFICE2 NO NAT

Now my question here is that I do believe that the ASA will exclaim overlapping rules exist when configuring like this, so what is the proper way to configure this? I believe overlapping rules, primarily where the source interface and destination interface are the same in each rule, may potentially be causing issues with the negotiation of our VPN tunnels, although I have been unable to substantiate this hypothesis with evidence. 

Furthermore, the question has come up: "is there ever a situation where it is 'appropriate' to be using 'any' in the source or destination network?"

e.g.

nat (Inside,Outside) source static any any destination static Cisco_Client_VPN_Pool Cisco_Client_VPN_Pool no-proxy-arp route-lookup
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

In my experience, creating rules like this should not have impact in negotiation of VPN tunnels. Even though the source and destination interfaces are the same, the destination network is different for each tunnel - which should able to resolve any conflicts.

To your second question, this again should not be a problem as the destination network is specific. The only reason I can see is to reduce the number NAT rules when you have multiple internal networks. This is also mentioned in the ASA config guide:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_rules.html#wp1232160

Thanks Rahul 

That only furthers the head-scratching process in regards to the problems with our tunnels (working with TAC on this as time permits).

It seems that they come up but they do not pass traffic. 

Your advice does add to the process of elimination and to my understanding, so it is much appreciated. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: