09-06-2012 02:08 PM - edited 03-11-2019 04:51 PM
I understand the basic configuration for a VPN traffic and you don't want to NAT it.
access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Make sure NAT is not applied to traffic passing across the VPN tunnel:
nat (inside) 0 access-list ACL_1
But I don't see where (from samples) it does not get apply to the inside interface. Could someone explain why that is so ?
access-group ACL_1 in interface inside
Thanks,
Pete
Solved! Go to Solution.
09-06-2012 02:23 PM
Hi Pete,
Basically you need:
The crypto ACL:
access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The NAT exempt rule:
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
No need for an access-group.
Remember that the ASA has the "sysopt connection permit-vpn" command enabled by default, which basically allows any traffic coming over a VPN tunnel to bypass the outside ACL.
Please let me know if this answer your question.
Thanks.
Portu.
Please rate any post you find useful.
09-06-2012 02:23 PM
Hi Pete,
Basically you need:
The crypto ACL:
access-list ACL_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The NAT exempt rule:
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
No need for an access-group.
Remember that the ASA has the "sysopt connection permit-vpn" command enabled by default, which basically allows any traffic coming over a VPN tunnel to bypass the outside ACL.
Please let me know if this answer your question.
Thanks.
Portu.
Please rate any post you find useful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide