Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5330
Views
0
Helpful
4
Replies

ASA NAT Exemption

Go to solution
Gordon Ross
Level 9
Level 9

‎08-19-2011 05:58 AM - edited ‎03-11-2019 02:14 PM

I'm running ASA software 8.4(2)

I've setup the anyconnect VPN system, and it works fine. However, it's NATing to the inside interface of the ASA. How do I do the NAT exclude ?

The docs say you *used* to do:

access-list no_nat permit ip 192.168.0.0 255.255.255.0 any
nat (inside) 0 access-list no_nat

However, with the latest software, this isn't valid any more.
I tried:

object network SSLVPN
  subnet 192.168.0.0 255.255.255.0
nat (inside,any) source static SSLVPN SSLVPN no-proxy-arp

But my packets are still getting NATed.

Suggestions, please ?

Thanks,


GTG

Please rate all helpful posts.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎08-19-2011 06:04 AM

Hi Gordon,

You might wanna try this:

Lets you had the following nat statement in the previous code:

access-list SSLVPN permit ip 10.0.0.0 255.0.0.0 20.0.0. 255.0.0.0
nat (inside) 0 access-list SSLVPN

The new NAT would be:

object network internal_subnet

  subnet 10.0.0.0 255.0.0.0

object network remote_network

  subnet 20.0.0.0 255.0.0.0

nat (inside,outside) source static internal_subnet internal_subnet destination static remote_network remote_network

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
4 Replies 4

Go to solution
varrao
Level 10
Level 10

‎08-19-2011 06:04 AM

Hi Gordon,

You might wanna try this:

Lets you had the following nat statement in the previous code:

access-list SSLVPN permit ip 10.0.0.0 255.0.0.0 20.0.0. 255.0.0.0
nat (inside) 0 access-list SSLVPN

The new NAT would be:

object network internal_subnet

  subnet 10.0.0.0 255.0.0.0

object network remote_network

  subnet 20.0.0.0 255.0.0.0

nat (inside,outside) source static internal_subnet internal_subnet destination static remote_network remote_network

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to varrao

‎08-19-2011 06:05 AM

Here's a doc as well, PFA

-Varun

Please rate helpful posts.

Thanks,
Varun Rao
Preview file
11 KB
0 Helpful

Go to solution
Gordon Ross
Level 9
Level 9
In response to varrao

‎08-19-2011 06:10 AM 

object network internal_subnet
  subnet 10.0.0.0 255.0.0.0
object network remote_network
  subnet 20.0.0.0 255.0.0.0
nat (inside,outside) source static internal_subnet internal_subnet destination static remote_network remote_network

So is the remote_subnet the ip pool subnet that the VPN clients are assigned by the ASA, and the internal_subnet the subnet the VPN clients want to access ?

GTG

Please rate all helpful posts.
0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Gordon Ross

‎08-19-2011 06:15 AM

Yes, absolutely, if you are doing remote access vpn.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card