04-25-2019 04:37 AM - edited 02-21-2020 09:04 AM
Hi everyone, I was just after a bit of assistance with an ASA I'm currently configuring. The ASA is based at a remote site and will have an IPSec tunnel configured on it to talk to the main Concentrator at HQ.
Remote site network:
I've attached the configuration for this device which I think is correct. The one question I have is would I need a NAT exemption for the below ACL?
"access-list InfDC_95.12.122.33 extended permit ip ManPlant-local object-group Man-remote"
Many thanks for your assistance.
04-25-2019 05:49 AM
Most times yes you wpuld need a nat exemption forthe simple reason that all your internal traffic will be natted going to the internet. But you do not want traffic to be natted once hitting the inside interface , going to the tunnel. Just stick a no nat at the top or fairly high on the list.
04-25-2019 06:22 AM
Thanks Dennis, that makes sense. Could you give me an idea what the config line should look like please?
04-27-2019 03:21 PM
Hi,
Just wanted to add a few things, based on the attached configurations
nat (Inside,Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote
I believe, would be closer to this...
nat (InsideOffice, Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote
As for the access lists
access-list InfDC_95.12.122.33 extended permit ip Man-local object-group Man-remote
access-list InfDC_95.12.122.33 extended permit ip ManPlant-local object-group Man-remote
I would add the keyword...
access-list InfDC_95.12.122.33 extended permit ip object-group Man-local object-group Man-remote
access-list InfDC_95.12.122.33 extended permit ip object-group ManPlant-local object-group Man-remote
--------
And just to finish up the tunnel group configurations.....
access-list Outside_cryptomap line 1 extended permit ip object NAT_Pool 10.99.0.0 255.255.0.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-clientless l2tp-ipsec
exit
tunnel-group 95.12.122.33 ipsec-attributes
ikev1 pre-shared-key <cisco> <-------your pre-shared key here
crypto map CMAP_01 20 match address Outside_cryptomap
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: