cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1134
Views
0
Helpful
3
Replies

Cisco ASA NAT IPSec tunnel configuration

BHconsultants88
Level 1
Level 1

Hi everyone, I was just after a bit of assistance with an ASA I'm currently configuring. The ASA is based at a remote site and will have an IPSec tunnel configured on it to talk to the main Concentrator at HQ.

 

Remote site network:

  • Local LAN 192.168.4.0 /24 (natted at HQ to 192.168.254.0 /24)
  • Local Plant LAN 10.20.21.0 /24

 

I've attached the configuration for this device which I think is correct. The one question I have is would I need a NAT exemption for the below ACL?

 

"access-list InfDC_95.12.122.33 extended permit ip ManPlant-local object-group Man-remote"

 

Many thanks for your assistance.

3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

Most times yes you wpuld need a nat exemption forthe simple reason that all your internal traffic will be natted going to the internet. But you do not want traffic to be natted once hitting the inside interface , going to the tunnel. Just stick a no nat at the top or fairly high on the list.

Please remember to rate useful posts, by clicking on the stars below.

Thanks Dennis, that makes sense. Could you give me an idea what the config line should look like please?

Alan Ng'ethe
Level 3
Level 3

Hi,

Just wanted to add a few things, based on the attached configurations

 

nat (Inside,Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote

 

I believe, would be closer to this...

nat (InsideOffice, Outside) source static Man-local NAT_Pool destination static Man-remote Man-remote

 

As for the access lists

access-list InfDC_95.12.122.33 extended permit ip Man-local object-group Man-remote
access-list InfDC_95.12.122.33 extended permit ip ManPlant-local object-group Man-remote


I would add the keyword...
access-list InfDC_95.12.122.33 extended permit ip object-group Man-local object-group Man-remote
access-list InfDC_95.12.122.33 extended permit ip object-group ManPlant-local object-group Man-remote

--------

And just to finish up the tunnel group configurations.....


access-list Outside_cryptomap line 1 extended permit ip object NAT_Pool 10.99.0.0 255.255.0.0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ssl-clientless l2tp-ipsec
exit
tunnel-group 95.12.122.33 ipsec-attributes
ikev1 pre-shared-key <cisco> <-------your pre-shared key here
crypto map CMAP_01 20 match address Outside_cryptomap

 

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: