- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2021 09:42 AM
Hi,
I'm running a FirePower 1120 with ASA and AnyConnect VPN.
I have several VLAN which have different connection profiles. On the VLANs without any NAT rules, I can connect and ping all devices. On the VLANs which have NAT rules for connecting to the internet, I can't ping any of the devices. Presumably my rule catches my message and tries to send it to the "outside" interface. I've read about 'nat exeptions', but discovered that this is a deprecated function.
My VLAN profile locks the user to the specific VLAN, and has an IP address in the same subnet as the hosts would be in (192.168.11.0/24)
An image of my NAT rule is attached (the only NAT rule for the given VLAN). How can I make another rule or change this one to solve this problem?
Many thanks!
Solved! Go to Solution.
- Labels:
-
Other Routers
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2021 12:04 PM
Sorry, I can't recall, it was in the middle of a googling session.
However, I have fixed this problem, albeit unelegantly by making two IP ranges.
One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.
This seems to work great, as long as I don't try to access any internet resources with IP between those two.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2021 11:58 AM
Hello,
I might have missed that, but where did you read that NAT exemptions have become deprecated ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2021 12:04 PM
Sorry, I can't recall, it was in the middle of a googling session.
However, I have fixed this problem, albeit unelegantly by making two IP ranges.
One is called lower-than-local and is everything under 172.0.0.0, the other is higher-than-local and is everything over 192.0.0.0.
This seems to work great, as long as I don't try to access any internet resources with IP between those two.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-10-2021 12:22 PM
Hello,
good workaround !
