07-24-2012 07:21 AM - edited 03-11-2019 04:34 PM
I'm setting up a new ASA that will be used for L2L VPN. I am setting up a tunnel that will need to permit all of our internal RFC1918 address through with no NAT.
In pre 8.3, we used a nat 0 command with an access list. However, that is now gone.
My object group is as follows:
object-group network Internal-Hosts
network-object 10.128.0.0 255.128.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
I used the new command:
nat (inside,outside) source static Internal-Hosts Internal-Hosts no-proxy-arp route-lookup
However, I get the following errors:
ERROR: 10.128.0.0-10.255.255.255 overlaps with failover interface address
ERROR: NAT Policy is not downloaded
This is true, our failover interface is in that subnet.
Do I have to re-do my object group and separate the 10.128.0.0 supernet to eliminate my failover subnet? Or is there another way?
Thanks.
Jason
07-24-2012 07:29 AM
That should work without changing your object-groups. But your nat-exemption-command is not complete as the destination is missing. Try it that way:
nat (inside,outside) source static Internal-Hosts Internal-Hosts destination static REMOTE-NETWORKS REMOTE-NETWORKS description NAT-Excempt for VPN
07-24-2012 07:51 AM
I still get the same error about the overlap with the failover address.
However, I found that if I remove the failover lines, add the NAT and then re-add the failover, it seems to work.
This is a pain though...
08-06-2012 03:22 PM
I have been running into the same problem, and I finally solved it by separating the object-groups used for NAT from the ones used elsewhere. So now I have 2 separate objects and groups:
!-- Define each network object
object network internal1-network
subnet 192.168.1.0 255.255.255.0
object network internal2-network
subnet 192.168.2.0 255.255.255.0
object network internal1-nat
range 192.168.1.3 192.168.1.254
object network internal2-nat
range 192.168.2.3 192.168.2.254
!-- Then define groups
object-group network Internal-Hosts
network-object object internal1-network
network-object object internal2-network
object-group network Internal-NAT
network-object object internal1-nat
network-object object internal2-nat
!-- Use the "NAT" group for nat commands
nat (inside,outside) source static Internal-NAT Internal-NAT no-proxy-arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide