03-26-2020 06:37 AM
Hello, I've used the ASA 5505 for years and recently got some 5506-X units in to setup as home office devices for users working from home. I knew there were some differences but I'm confused on a few things when comparing the configs between the 5505 and the 5506. I understand the bridge groups to tie the interfaces together but I'm confused about NAT and the ACL's. I've attached two sanitized configs. The 5505 setup works like a charm. Do I need these nat statements if I'm routing everything over a tunnel? Also, would I need an ACL for each interface, something like access-list inside_1 permit any any? Let me know if there are any questions.
nat (inside_1,outside) source dynamic any interface dns
nat (inside_2,outside) source dynamic any interface dns
nat (inside_3,outside) source dynamic any interface dns
nat (inside_4,outside) source dynamic any interface dns
nat (inside_5,outside) source dynamic any interface dns
nat (inside_6,outside) source dynamic any interface dns
nat (inside_7,outside) source dynamic any interface dns
Remote setup would be one network on inside with a phone and PC and the DHCP for outside and device brings up tunnel. Full routing across VPN tunnel.
Thanks in advance!
Solved! Go to Solution.
03-26-2020 10:43 AM - edited 03-26-2020 12:11 PM
03-26-2020 10:43 AM - edited 03-26-2020 12:11 PM
Hi,
I cleaned up your config, see attached.
Regards,
Cristian Matei.
03-26-2020 11:35 AM
Sorry, but I accidentally click the accept button. This isn't working. You can't use the BVI address in a NAT statement.
03-26-2020 11:36 AM
I thought I'd add a screenshot. I did add nameif inside_1 back to in1/2.
tracysmithermanvpn(config)# nat (?
configure mode commands/options:
Current available interface(s):
any Global address space
inside_1 Name of interface GigabitEthernet1/2
outside Name of interface GigabitEthernet1/1
tracysmithermanvpn(config)# nat (
ERROR: % Incomplete command
tracysmithermanvpn(config)#
03-26-2020 12:13 PM
Hi,
Failed to see we speak about 5506. I re-attached your configuration, as you're sending all traffic through the tunnel (including Internet traffic if there is such), there is no need for any NAT statements at all (for Internet access, or exclusions for VPN traffic).
Regards,
Cristian Matei.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: