03-16-2017 09:57 AM - edited 03-12-2019 02:04 AM
I am trying to figure out how multiple NAT rules configured may be causing our VPN tunnels to malfunction.
Basically what we have done is for each L2L tunnel, for a NAT exemption, we create a NAT rule like so:
nat (ServerDMZ,Outside) source static ServerDMZ ServerDMZ destination static SITE1_LAN SITE1_LAN no-proxy-arp route-lookup desc OFFICE1 NO NAT
nat (ServerDMZ,Outside) source static ServerDMZ ServerDMZ destination static SITE2_LAN SITE2_LAN no-proxy-arp route-lookup desc OFFICE2 NO NAT
Now my question here is that I do believe that the ASA will exclaim overlapping rules exist when configuring like this, so what is the proper way to configure this? I believe overlapping rules, primarily where the source interface and destination interface are the same in each rule, may potentially be causing issues with the negotiation of our VPN tunnels, although I have been unable to substantiate this hypothesis with evidence.
Furthermore, the question has come up: "is there ever a situation where it is 'appropriate' to be using 'any' in the source or destination network?"
e.g.
nat (Inside,Outside) source static any any destination static Cisco_Client_VPN_Pool Cisco_Client_VPN_Pool no-proxy-arp route-lookup
03-16-2017 11:36 AM
In my experience, creating rules like this should not have impact in negotiation of VPN tunnels. Even though the source and destination interfaces are the same, the destination network is different for each tunnel - which should able to resolve any conflicts.
To your second question, this again should not be a problem as the destination network is specific. The only reason I can see is to reduce the number NAT rules when you have multiple internal networks. This is also mentioned in the ASA config guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_rules.html#wp1232160
03-16-2017 01:30 PM
Thanks Rahul
That only furthers the head-scratching process in regards to the problems with our tunnels (working with TAC on this as time permits).
It seems that they come up but they do not pass traffic.
Your advice does add to the process of elimination and to my understanding, so it is much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide