Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6038
Views
7
Helpful
10
Replies

NAT rule in ASA for Tunnel interface

Nitin S
Level 5
Level 5

‎01-19-2021 07:10 AM

Hello All,

 

I have configure IPsec  VTI tunnel on ASA. i am try to configure NAT rule but interface not showing while adding nat statemen.

 

 

0 Helpful
10 Replies 10

Oleg Volkov
Spotlight
Spotlight

‎01-19-2021 07:13 AM

What NAT rule you need?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Nitin S
Level 5
Level 5
In response to Oleg Volkov

‎01-19-2021 07:33 AM

i need NAT rule from INSIDE to VIT_Tunnel.

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Nitin S

‎01-19-2021 07:35 AM

Ok but why ?

Can You provide full rule ?

It is must be twice nat?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Rob Ingram
VIP
VIP

‎01-19-2021 07:31 AM

@Nitin S 

You shouldn't need to...

 

"VTI eliminates the need to use crypto access lists and Network Address Translation (NAT) exemption rules."

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html

 

If you are having an issue, please run packet-tracer from the CLI and "show nat detail", provide the output from both.

0 Helpful

Nitin S
Level 5
Level 5
In response to Rob Ingram

‎01-19-2021 07:36 AM

i need NAT rule to do destination NAT & source PAT.

0 Helpful

Rob Ingram
VIP
VIP

‎01-19-2021 07:46 AM

@Nitin S 

You want to NAT traffic over the route based VPN? Normally when using a route based VPN you just route traffic over the tunnel without NAT, which is probably why the VTI interface does not show when attempting to create NAT rule. You could try "any" when specifying the interface name in a NAT rule.

 

0 Helpful

MHM Cisco World
VIP
VIP

‎01-19-2021 08:58 AM

If I right it is bug 
gjgjgj.png

0 Helpful

Massimo Baschieri
Level 3
Level 3
In response to MHM Cisco World

‎05-30-2022 10:11 AM

Non applicable in all cases thuogh, but the "any" keyword may save your life.

Nat rule that should be entered this way:

nat (VTI,outside) source dynamic RFC1918-1 SRCNAT destination static DSTNETWORK DSTNETWORK

but it's not applicable since VTI interface isn't available, entered this way did the trick to me:

nat (any,outside) source dynamic RFC1918 SRCNAT destination static DSTNETWORK DSTNETWORK

hansrodlo
Level 1
Level 1
In response to Massimo Baschieri

‎02-01-2023 09:02 AM

Thanks, this workaround works for me.

0 Helpful

fgfuentes
Level 1
Level 1
In response to Massimo Baschieri

‎11-09-2023 12:15 PM - edited ‎11-09-2023 12:16 PM

this workaround actually does the job when using VTI: nat(any,interface)...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card