If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements.
Using Management-access Inside
In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:
object network obj_RDP
nat (inside,outside) static interface service tcp 3389 3389
NAT divert to egress interface inside
Untranslate 220.127.116.11/3389 to 192.168.1.5/3389
Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup
This command makes the ASA do the route-lookup instead of blindly routing the packets.
Hello, I would like to know if there is a way to extract from WSA the info about the used browser verison in the network. Either in logs or in reports or something else. thanks and regards, Konstantinos
HelloASA5506 i have the problem that the ip from the static clients arnt reachable.if change this to the attached switch the issue are gone, if pachting back toASA the ip arnt still not reachable.i'am reading that i need to allow IMCP, following com...
I currently have an ASA 5525 and I want the updates made to my servers, services to be carried out, but I get this error Inbound TCP connection denied from x.x.x.x / 443 to x.x.x.x / xxxx flags RST on interface outsideTry to create the access list rule fo...
HelloWhat is the point of ISE hybrid deployment if max Active Sessions per Deployment the same as standalone and limited by performance of PAN+Mnt Node?What is the point to have separate PSN from scaling point of view?