Solved: Zero NAT on inside interface

mahesh18 · ‎05-08-2020

We have this nat for vpn users

nat (inside) 0 access-list nonat_pool --------------------current nat for vpn

Also i need IPsec connection for vendor traffic where we do not want nat inside traffic

ASA 8.2

nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel

How will this work?

Do it has to be in certain order?

Sheraz.Salim · ‎05-10-2020

here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?

if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
!
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
!
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key xxxxxx
!
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3
!
nat (inside) 0 access-list LAN_Traffic
crypto map VPNCMAP  20 match address LAN_Traffic
crypto map VPNCMAP  20 set peer 172.24.32.115                                                                                                                                 
crypto map VPNCMAP 20 set transform-set L2L
!

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎05-08-2020

nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel

mean you doing a NAT Exemption. as you running 8.2 which is EOL so if i convert it to 8.3 post. its command will be like this.

object network INSIDE
subnet 1.1.1.0 255.255.0.0
object network OUTSIDE
subnet 2.2.2.0 255.255.0.0
nat (inside,outside) source static INSIDE INSIDE destination static OUTSIDE OUTSIDE

so ideally it should work. have a change control in place if you need to revert back.

please do not forget to rate.

mahesh18 · ‎05-08-2020

Thanks for replying.

So if i use NAT exempt for inside interface for two different configs it should work right?

Does it has to be in any order?

Sheraz.Salim · ‎05-08-2020

Is this change is for the existing vpn tunnel peer or a new vpn tunnel peer?

please do not forget to rate.

mahesh18 · ‎05-08-2020

currently we have VPN working and using below nat

nat (inside) 0 access-list nonat_pool

Now for IPSEC i need to add this nat

nat (inside) 0 access-list NAT_EXEMPT

so if i add above nat config will vpn users connection will still work?

Sheraz.Salim · ‎05-09-2020

share your firewall config please in order to give you correct advise.

please do not forget to rate.

mahesh18 · ‎05-09-2020

I have sent you private message with config.

Here is the config i need to add for IPSEC connection

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

tunnel-group 172.24.32.115 type ipsec-l2l

tunnel-group 172.24.32.115 ipsec-attributes

pre-shared-key xxxxxx

access-list LAN_Traffic extended permit icmp 10.0.0.0 255.0.0.0 10.70.160.0 255.255.255.248 echo log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log

access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log

access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log

access-list LAN_Traffic extended permit tcp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 80 log

access-list LAN_Traffic extended permit tcp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 80 log

access-list LAN_Traffic extended permit udp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit udp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit tcp host 10.70.160.2 10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit tcp host 10.70.160.3 10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended deny ip any any log

crypto map VPNCMAP 20 match address LAN_Traffic

crypto map VPNCMAP 20 set peer 172.24.32.115

crypto map VPNCMAP 20 set transform-set L2L

access-list NAT_EXEMPT extended permit ip 10.96.96.0 255.255.255.0 10.70.160.248
nat (inside) 0 access-list NAT_EXEMPT

Sheraz.Salim · ‎05-10-2020

here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?

if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
!
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
!
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key xxxxxx
!
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3
!
nat (inside) 0 access-list LAN_Traffic
crypto map VPNCMAP  20 match address LAN_Traffic
crypto map VPNCMAP  20 set peer 172.24.32.115                                                                                                                                 
crypto map VPNCMAP 20 set transform-set L2L
!

please do not forget to rate.

mahesh18 · ‎05-11-2020

Thanks a lot for answering all the queries here.

Will do this change soon.

Appreciate your help on this.