Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
10
Helpful
5
Replies

NAT clairifcation for VPN

Go to solution
burleyman
Level 8
Level 8

‎05-14-2015 11:02 AM - edited ‎03-11-2019 10:56 PM

Please correct me if I am wrong.

 

For site-2-site VPN's and client VPN access into the private LAN and from the private LAN to the VPN clients and sites, I do not need to configure No NAT with the newer 9.x ASA software.

 

The older (Pre 8.3) No NAT for this would have been....

access-list 100 extended permit ip 10.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list 100

 

Now with ASA 9.x, or more accurately 8.3 and newer... I would not need to configure anything for NAT with this......correct.

 

 

Mike
 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to burleyman

‎05-15-2015 06:41 AM

Yes, that's the way to configure it. But also add the keyword "no-proxy-arp route-lookup" to the end of the NAT-satement as it can avoid problems in many situations. And if there are other nat-statements in section one, you probably want to have it at the beginning:

nat (inside,outside) 1 source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24 no-proxy-arp route-lookup

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Karsten Iwen
VIP
VIP

‎05-14-2015 02:13 PM

It depends. If you still have NAT from your LAN to the outside network (typically you have), then you also have to configure NAT exemption on ASA v8.3+.

It's done with twice-NAT in Section 1 of the NAT rules.

Go to solution
burleyman
Level 8
Level 8
In response to Karsten Iwen

‎05-15-2015 06:27 AM

That is what I thought but I had someone telling me I did not, but I think he was confused.

So if I have a subnet of 10.10.10.0/24 for Site A and a subnet of 172.16.100.0/24 for Site B I would configure this in Sites A ASA

object network NET-10.10.10.0_24
 subnet 10.10.10.0 255.255.255.0

object network NET-172.16.100.0_24
 subnet 172.16.100.0 255.255.255.0


nat (inside,outside) source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24

 

 

Mike

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to burleyman

‎05-15-2015 06:41 AM

Yes, that's the way to configure it. But also add the keyword "no-proxy-arp route-lookup" to the end of the NAT-satement as it can avoid problems in many situations. And if there are other nat-statements in section one, you probably want to have it at the beginning:

nat (inside,outside) 1 source static NET-10.10.10.0_24 NET-10.10.10.0_24 destination static NET-172.16.100.0_24 NET-172.16.100.0_24 no-proxy-arp route-lookup
0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to Karsten Iwen

‎05-15-2015 07:12 AM

Thanks for your help.

 

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card