If your were configuring ASA1 nat exemption for this RA tunnel, it would look like this:
object network obj-vpnpool
subnet 192.168.3.0 255.255.255.0
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool
*Note: Due to bug CSCtf89372, I use the "1" in the command above to put the nat exemption statement at the top of all my nat statements.
Using Management-access Inside
In all the above cases, when you convert the nat 0 command in pre 8.3 code to post 8.3 code, you'll probably notice that you're converting it from being a nat exemption to static identity nat. Just like in pre 8.3 code, post 8.3 static nats also don't do a route lookup for an ingress packet. Instead they forcibly place the packet on the egress interface defined in the static command. If you use the packet tracer you'll see something like this:
object network obj_RDP
nat (inside,outside) static interface service tcp 3389 3389
NAT divert to egress interface inside
Untranslate 188.8.131.52/3389 to 192.168.1.5/3389
Notice how it says "NAT divert", well what that means is the ASA just skipped a route-lookeup for the address you're trying to reach and used the NAT statement to decide how to route that packet. Sometimes this can be a good thing and can be used for various hacks( refer Loadbalancing DUAL ISP on ASA), unfrotunately, if you're using the VPN to manage your firewall, then you don't want packets destined to the ASA itself to be "NAT diverted" out some interface. You want those packets to be process by the ASA itself, so in these situations you want to configure the nat command as:
nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool route-lookeup
This command makes the ASA do the route-lookup instead of blindly routing the packets.
Hi All I have currently configured this on each switch port:authentication event fail action next-methodauthentication event server dead action authorizeauthentication event server dead action authorize voiceauthentication event server alive action r...
Hi all, I try to upgrade with Kace K1000 Anyconnect from 4.7 to 4.9. modules VPN + NAM + ISE Posture We use this script :rem # Install 3 packagesmsiexec /package anyconnect-win-4.9.05042-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_D...
Hey Pros, What is the best security practice for allowing guest users out to the Internet when connecting to our APs? I'm primarily interested in DHCP and DNS configuration. We use Cisco APs, firewall, and ISE coming soon. Internal network...
HI,I am getting error while deploying policy ,"Deployment failed due to timeout collecting policies and objects"FMC appliance -4500 - Version 184.108.40.206 CISCO Firepower 9300 FTD Version: 220.127.116.11 FXOS Version : 18.104.22.168I not able to deploy polices ,it timed ...
I'm getting the following error when connecting from my anyconnect for android mobile "Connection attempt has failed due to server communication errors. please retry the connection" While the connection is working from my PC using anyconnect client.