Hi everyone, I was just after a bit of assistance with an ASA I'm currently configuring. The ASA is based at a remote site and will have an IPSec tunnel configured on it to talk to the main Concentrator at HQ.
Remote site network:
I've attached the configuration for this device which I think is correct. The one question I have is would I need a NAT exemption for the below ACL?
"access-list InfDC_126.96.36.199 extended permit ip ManPlant-local object-group Man-remote"
Many thanks for your assistance.
Most times yes you wpuld need a nat exemption forthe simple reason that all your internal traffic will be natted going to the internet. But you do not want traffic to be natted once hitting the inside interface , going to the tunnel. Just stick a no nat at the top or fairly high on the list.
Just wanted to add a few things, based on the attached configurations
nat (Inside,Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote
I believe, would be closer to this...
nat (InsideOffice, Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote
As for the access lists
access-list InfDC_188.8.131.52 extended permit ip Man-local object-group Man-remote
access-list InfDC_184.108.40.206 extended permit ip ManPlant-local object-group Man-remote
I would add the keyword...
access-list InfDC_220.127.116.11 extended permit ip object-group Man-local object-group Man-remote
access-list InfDC_18.104.22.168 extended permit ip object-group ManPlant-local object-group Man-remote
And just to finish up the tunnel group configurations.....
access-list Outside_cryptomap line 1 extended permit ip object NAT_Pool 10.99.0.0 255.255.0.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-clientless l2tp-ipsec
tunnel-group 22.214.171.124 ipsec-attributes
ikev1 pre-shared-key <cisco> <-------your pre-shared key here
crypto map CMAP_01 20 match address Outside_cryptomap