cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2047
Views
20
Helpful
8
Replies
mahesh18
Frequent Contributor

Zero NAT on inside interface

 

We have this nat for vpn users 

 

nat (inside) 0 access-list nonat_pool          --------------------current nat  for vpn 

 

Also i need IPsec connection for vendor traffic where we do not want nat inside traffic 

 

ASA  8.2

 

nat (inside) 0 access-list NAT_EXEMPT ------------------------------nat for IPSEC tunnel

 

How will this work?

Do it has to be in certain order?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

here is the configuration you need to implement in order to bring up the tunnel. I assume 10.96.96.0/24 is your source ip addresses and the remote networks are 10.70.160.x. Is this correct?

if you want to allow only certain protocols to work with access-list forexample tcp/udp. than you have to give command sysopt connection permit-vpn" Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. ... This is the more secure method to allow traffic in the VPN because external users cannot spoof IP addresses in the remote access VPN address pool.

 

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
!
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
!
tunnel-group 172.24.32.115 type ipsec-l2l
tunnel-group 172.24.32.115 ipsec-attributes
pre-shared-key xxxxxx
!
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.2 
access-list LAN_Traffic extended permit ip 10.96.96.0 255.255.255.0 host 10.70.160.3
!
nat (inside) 0 access-list LAN_Traffic
crypto map VPNCMAP  20 match address LAN_Traffic
crypto map VPNCMAP  20 set peer 172.24.32.115                                                                                                                                 
crypto map VPNCMAP 20 set transform-set L2L
!
please do not forget to rate.

View solution in original post

8 REPLIES 8
Sheraz.Salim
VIP Advisor