As a network engineer working on a project to deploy and configure a series of ASA 5506-X running 9.9(2) iOS, I have encountered the following important issue:
When I configure a NAT Exempt rule for traffic flowing from one zone to another of the ASA itself, traffic from zone to zone works as expected with no issues.
When I configure a NAT Exempt rule for traffic flowing from one zone of the ASA to a remote network that resides on the other end of an IPSec VPN tunnel, the ASA with no obvious reason unchecks the "NAT Exempt" checkbox option in ASDM and therefore deletes the NAT entry in the Firewall configuration.
If I go configure one NAT rule for each Group's object separately, the issue disappears.
You can easily understand that when the issue occurs the IPSec VPN tunnel goes down or does not work as expected (you can imagine what that means to a production network..)
Is this some kind of bug (in ASDM or iOS versions), does it has to do with the encrypted traffic or is it some kind of security feature on Cisco devices?
Thanks everybody, looking forward to any feedback.
Try to create a nat rule like below and add all your local or remote subnets in the object-group
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
Hope This Helps
I don't get any error when I configure NAT.
But the NAT entries disappear later on. The NAT exempt checkbox gets "unchecked" in ASDM and the NAT statement disappears..
When I configure the NAT rule all is ok at first.
Then a few hours later the client calls and says that the VPN does not work as expected.
When I check the configuration, the NAT rule is not there and I have to configure again.
Seems like an iOS bug, but I am not sure..
I will try this to perform my tests, but if configuring directly through CLI is the only way to make NAT function properly, should I suppose it is an ASDM bug?