Solved: NAT config for IPSEC L2L tunnel

mahesh18 · ‎02-20-2016

Hi Everyone,

I have configured 5 ipsec l2l tunnels on ASA outside interface and need to know for NAT what config i should do on the ASA?

I have ACL configured for interesting traffic and also NAT- T disable under crypto map.

Do i still need any nat config for VPN traffic?

Regards

Mahesh

Marius Gunnerud · ‎02-21-2016

Then there should be no need for NAT statements for this VPN traffic. However you need to double check to make sure that none of the NAT statements match the interesting traffic for your VPN tunnel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-21-2016

I would assume so. But does not hurt to double check.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-20-2016

If you have dynamic NAT or any other NAT statements on the ASA that match the interesting traffic, then yes you will need identity NAT (NAT exempt) statements on the ASA. They will look something like the following:

object network LOCAL_LAN

subnet 10.10.1.0 255.255.255.0

object network REMOTE_LAN

subnet 11.11.1.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

You would need to do something similar for each site to site VPN you have configured. You can ofcourse reuse your LOCAL_LAN object.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-20-2016

i checked the nat statement for interesting traffic means source lan subnet and destination subnet found

none.

i only found there network object groups but no NAT statements or config as you mentioned in the above

post.

So how the traffic is flowing without any NAT config for interesting traffic subnet?

Marius Gunnerud · ‎02-21-2016

Is the ASA the gateway for internet traffic for you local LAN? Are there any NAT statement at all configured on the ASA?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-21-2016

Yes ASA has few nat statements.

No ASA is not gateway for internet traffic.

Marius Gunnerud · ‎02-21-2016

Then there should be no need for NAT statements for this VPN traffic. However you need to double check to make sure that none of the NAT statements match the interesting traffic for your VPN tunnel.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-21-2016

I will do that also when I run command show nat

I see no hits on translate and untranslate this confirms that currently only vpn

traffic is flowing via asa right?

Marius Gunnerud · ‎02-21-2016

I would assume so. But does not hurt to double check.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

mahesh18 · ‎02-21-2016

Many thanks Marius for replying to my questions and giving me right directions

from last two days.

Best Regards

Mahesh