cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2046
Views
20
Helpful
8
Replies
mahesh18
Frequent Contributor

Zero NAT on inside interface

 

We have this nat for vpn users 

 

nat (inside) 0 access-list nonat_pool          --------------------current nat  for vpn 

 

Also i need IPsec connection for vendor traffic where we do not want nat inside traffic 

 

ASA  8.2

 

nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel

 

How will this work?

Do it has to be in certain order?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?

if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.

 

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
!
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
!
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key xxxxxx
!
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3
!
nat (inside) 0 access-list LAN_Traffic
crypto map VPNCMAP  20 match address LAN_Traffic
crypto map VPNCMAP  20 set peer 172.24.32.115                                                                                                                                 
crypto map VPNCMAP 20 set transform-set L2L
!
please do not forget to rate.

View solution in original post

8 REPLIES 8
Sheraz.Salim
VIP Advisor

nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel

 

mean you doing a NAT Exemption. as you running 8.2 which is EOL so if i convert it to 8.3 post. its command will be like this.

object network INSIDE
subnet 1.1.1.0 255.255.0.0
object network OUTSIDE
subnet 2.2.2.0 255.255.0.0
nat (inside,outside) source static INSIDE INSIDE destination static OUTSIDE OUTSIDE

so ideally it should work. have a change control in place if you need to revert back.

please do not forget to rate.
mahesh18
Frequent Contributor

Thanks for replying.

So if i use NAT exempt for inside interface for two different configs it should work right?

 

Does it has to be in any order?

Is this change is for the existing vpn tunnel peer or a new vpn tunnel peer?

please do not forget to rate.
mahesh18
Frequent Contributor

currently we have VPN working and using  below nat

 

nat (inside) 0 access-list nonat_pool  

 

Now for IPSEC i need to add this nat 

nat (inside) 0 access-list NAT_EXEMPT 

 

so if i add above nat config will vpn users connection will still work?

share your firewall config please in order to give you correct advise.

please do not forget to rate.
mahesh18
Frequent Contributor

I have sent you private message with config.

 

Here is the config i need to add for IPSEC connection

 

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

 

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

 

tunnel-group 172.24.32.115 type ipsec-l2l

tunnel-group 172.24.32.115 ipsec-attributes

pre-shared-key xxxxxx

 

access-list LAN_Traffic extended permit icmp  10.0.0.0 255.0.0.0  10.70.160.0 255.255.255.248  echo log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 80 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 80 log

access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log

access-list LAN_Traffic extended permit udp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.2 eq 554 log

access-list LAN_Traffic extended permit tcp 10.96.96.0 255.255.255.0 host 10.70.160.3 eq 554 log

 

 

access-list LAN_Traffic extended permit tcp host 10.70.160.2  10.96.96.0 255.255.255.0 eq 80 log

access-list LAN_Traffic extended permit tcp host 10.70.160.3  10.96.96.0 255.255.255.0 eq 80 log

access-list LAN_Traffic extended permit udp host 10.70.160.2  10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit udp host 10.70.160.3  10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit tcp host 10.70.160.2  10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended permit tcp host 10.70.160.3  10.96.96.0 255.255.255.0 eq 554 log

access-list LAN_Traffic extended deny ip any any log

 

crypto map VPNCMAP  20 match address LAN_Traffic

                                                                                               

crypto map VPNCMAP  20 set peer 172.24.32.115

                                                                                                                                  

crypto map VPNCMAP 20 set transform-set L2L

 

access-list NAT_EXEMPT extended permit ip 10.96.96.0 255.255.255.0 10.70.160.248
nat (inside) 0 access-list NAT_EXEMPT

 

here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?

if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.

 

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
!
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
!
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key xxxxxx
!
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3
!
nat (inside) 0 access-list LAN_Traffic
crypto map VPNCMAP  20 match address LAN_Traffic
crypto map VPNCMAP  20 set peer 172.24.32.115                                                                                                                                 
crypto map VPNCMAP 20 set transform-set L2L
!
please do not forget to rate.
mahesh18
Frequent Contributor

 

Thanks a lot for answering all the queries here.

Will do this change soon.

 

Appreciate your  help on this.

Create
Recognize Your Peers
Content for Community-Ad