Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
10
Helpful
5
Replies

NAT clairifcation for VPN

Go to solution
burleyman
Level 11
Level 11

‎05-14-2015 11:02 AM - edited ‎03-11-2019 10:56 PM

Please correct me if I am wrong.

 

For site-2-site VPN's and client VPN access into the private LAN and from the private LAN to the VPN clients and sites, I do not need to configure No NAT with the newer 9.x ASA software.

 

The older (Pre 8.3) No NAT for this would have been....

access-list 100 extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list 100

 

Now with ASA 9.x, or more accurately 8.3 and newer... I would not need to configure anything for NAT with this......correct.

 

 

Mike
 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to burleyman

‎05-15-2015 06:41 AM

Yes, that's the way to configure it. But also add the keyword "no-proxy-arp route-lookup" to the end of the NAT-satement as it can avoid problems in many situations. And if there are other nat-statements in section one, you probably want to have it at the beginning:

nat (inside,outside) 1 source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24 no-proxy-arp route-lookup
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎05-14-2015 02:13 PM

It depends. If you still have NAT from your LAN to the outside network (typically you have), then you also have to configure NAT exemption on ASA v8.3+.

It's done with twice-NAT in Section 1 of the NAT rules.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Go to solution
burleyman
Level 11
Level 11
In response to Karsten Iwen

‎05-15-2015 06:27 AM

That is what I thought but I had someone telling me I did not, but I think he was confused.

So if I have a subnet of 10.10.10.0/24 for Site A and a subnet of 172.16.100.0/24 for Site B I would configure this in Sites A ASA

object network NET-10.10.10.0_24
 subnet 10.10.10.0 255.255.255.0

object network NET-172.16.100.0_24
 subnet 172.16.100.0 255.255.255.0


nat (inside,outside) source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24

 

 

Mike

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to burleyman

‎05-15-2015 06:41 AM

Yes, that's the way to configure it. But also add the keyword "no-proxy-arp route-lookup" to the end of the NAT-satement as it can avoid problems in many situations. And if there are other nat-statements in section one, you probably want to have it at the beginning:

nat (inside,outside) 1 source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24 no-proxy-arp route-lookup
--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Helpful

Go to solution
burleyman
Level 11
Level 11
In response to Karsten Iwen

‎05-15-2015 07:12 AM

Thanks for your help.

 

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card