Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6199
Views
0
Helpful
5
Replies

Upgrading to ASA 9 - Unable to NAT Exempt

Go to solution
aelsbernd
Level 1
Level 1

‎05-05-2013 10:27 AM - edited ‎03-11-2019 06:39 PM

Trying to upgrade to ASA 9....

We have a few remote easy vpn ASA 5505 that connect but I am unable to ping the remote LAN.  How can I exempt these networks from what I have here.....

(What I currently have for the 5505s - not working)

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

(What I currently have for VPN users - seems to be working)

nat (inside,outside) source static DYNAMIC-INSIDE DYNAMIC-INSIDE destination static VPN VPN no-proxy-arp

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Let me know if there any info you need or if I'm way off on this.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-05-2013 11:02 AM

Hi,

The configurations you have for VPN Clients is basicly the way to do NAT Exempt for all remote networks behind a VPN connection whether its a VPN Client pool EasyVPN Client or L2L VPN.

The basic format is

object network LOCAL-LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

or incase you have several networks at local and remote sites then you could use

object-group network LOCAL-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network REMOTE-LAN

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The configuration you have currently

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

NATs the IP addresses inside DYNAMIC-INSIDE to the "outside" interface IP address because of the parameter "interface"

So basicly you should remove this configuration and replace it with for example the ones I mentioned. Naturally name then as you see fit and use the networks that apply to your situation.

Hopefully this helps

Remember to mark the question as answered if it did and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to aelsbernd

‎05-05-2013 11:15 AM

Hi,

The configuration you mention

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Will only override the new type of NAT0 / NAT Exempt configuration if traffic doesnt match the configured rule.

So on the basis of that, please check that DYNAMIC-INSIDE and REMOTE-NETWORKS match the actual networks you have configured for the VPN connections. Make sure they contain the networks related to the Easy VPN connections.

If you dont have many configurations on the ASA then naturally removing the last NAT configuration (The Dynamic PAT) makes it so that ASA doesnt NAT any traffic past the ASA and this is why the connections work then.

So doublecheck the networks in the NAT configurations.

Or alternatively provide us with the complete NAT configurations and the configuration of the related "object" and "object-group" used. Also mentione the local networks and remote networks.

- Jouni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-05-2013 11:02 AM

Hi,

The configurations you have for VPN Clients is basicly the way to do NAT Exempt for all remote networks behind a VPN connection whether its a VPN Client pool EasyVPN Client or L2L VPN.

The basic format is

object network LOCAL-LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

or incase you have several networks at local and remote sites then you could use

object-group network LOCAL-LAN

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

object-group network REMOTE-LAN

network-object 10.10.100.0 255.255.255.0

network-object 10.10.200.0 255.255.255.0

nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN

The configuration you have currently

nat (inside,outside) source dynamic DYNAMIC-INSIDE interface destination static REMOTE-NETWORKS REMOTE-NETWORKS

NATs the IP addresses inside DYNAMIC-INSIDE to the "outside" interface IP address because of the parameter "interface"

So basicly you should remove this configuration and replace it with for example the ones I mentioned. Naturally name then as you see fit and use the networks that apply to your situation.

Hopefully this helps

Remember to mark the question as answered if it did and/or rate helpfull answers.

Naturally ask more if needed

- Jouni

0 Helpful

Go to solution
aelsbernd
Level 1
Level 1
In response to Jouni Forss

‎05-05-2013 11:10 AM

Jouni,

Thanks for the reply.  I have my config now set to:

nat (inside,outside) source static DYNAMIC-INSIDE DYNAMIC-INSIDE destination static REMOTE-NETWORKS REMOTE-NETWORKS

Still not working for me.... I believe it has something to do with this line...

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

When this line is removed, I am able to ping the remote networks however the LAN i'm on now loses internet access.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to aelsbernd

‎05-05-2013 11:15 AM

Hi,

The configuration you mention

nat (inside,outside) after-auto source dynamic DYNAMIC-INSIDE interface

Will only override the new type of NAT0 / NAT Exempt configuration if traffic doesnt match the configured rule.

So on the basis of that, please check that DYNAMIC-INSIDE and REMOTE-NETWORKS match the actual networks you have configured for the VPN connections. Make sure they contain the networks related to the Easy VPN connections.

If you dont have many configurations on the ASA then naturally removing the last NAT configuration (The Dynamic PAT) makes it so that ASA doesnt NAT any traffic past the ASA and this is why the connections work then.

So doublecheck the networks in the NAT configurations.

Or alternatively provide us with the complete NAT configurations and the configuration of the related "object" and "object-group" used. Also mentione the local networks and remote networks.

- Jouni

0 Helpful

Go to solution
aelsbernd
Level 1
Level 1
In response to Jouni Forss

‎05-05-2013 11:22 AM

Oh wow, that was it.... Silly mistake.... typo in the IP addresses.

Thank you for pointing me in the right direction.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to aelsbernd

‎05-05-2013 11:36 AM

Great to hear it working now

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card