If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements.
Using Management-access Inside
In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:
object network obj_RDP
nat (inside,outside) static interface service tcp 3389 3389
NAT divert to egress interface inside
Untranslate 220.127.116.11/3389 to 192.168.1.5/3389
Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup
This command makes the ASA do the route-lookup instead of blindly routing the packets.
I can however login SSH with the same credentials with no problem. auacs1/admin# show application status acsACS role: PRIMARYProcess 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'adclient' runningProcess 'view-databa...
I patched our FMC from 18.104.22.168 to 22.214.171.124. I am receiving a warning that states " Successfully connected to cloud, Number of files detected in traffic exceeds module threshold." Is this something that will clear itself up in time? This warning ...
Hi,Can anyone help me?!I’ve had an ASA5510 up and running for some time without any issues.I recently purchased a ASA-SSM-AIP-10-K9 card to learn with.When I received the card, when doing a Show module 1, I could see that there was no firmware on the card...
Hi All,We are using ISE v2.2 for radius authentication of endpoints. Everything is working fine. Except in one Switch where Cisco VOIP 3905 is used. These devices are not authenticating with ISE and taking the Data domain instead of voice. By statically a...