Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
3
Replies

ASA 8.3(1) nat exemption for L2l VPN

Go to solution
srikanth ath
Level 4
Level 4

‎12-08-2013 10:38 PM - edited ‎03-07-2019 04:59 PM

                   Hello Expert,

I hve a cisco asa running 8.3(1) version.

I have a succesffull L2L tunnel between two sites. but, im confused about the nat exemption used here. An acl is defined stating the interesting traffic of two sites using the tunnel should be nat exempted and is configured as below in rectangular boxes.

The ACL created doesnt have a statement to be nat exempted nor it is applied to any interface.

nat (inside) 0 access-list inside_nat0_outbound

## Configure NAT Exempt ACL

access-list inside_nat0_outbound extended permit ip object-group ET_LOCAL object-group ET_REMOTE

object-group network ET_LOCAL

network-object host 10.x.x.x

object-group network ETS_REMOTE

network-object host 64.x.x.x

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to srikanth ath

‎12-09-2013 02:56 AM

Hi,

These is a relic of pre 8.3 because as I said this is old syntax so I assume you migrated your config to 8.3 and this is leftover, if this is the case then you can safely delete it.Maybe as a safeguard making the ACLs inactive and verify tunnels are ok then you can delete them.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎12-08-2013 11:40 PM

Hi,

The syntax with the ACL and NAT 0 is pre-8.3 syntax.

For post-8.2, the syntax should be:

nat(inside,outside) source static ET_LOCAL ET_LOCAL destination static ETS_REMOTE  ETS_REMOTE

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
srikanth ath
Level 4
Level 4
In response to cadet alain

‎12-09-2013 01:32 AM

Hi alain,

Thanks for the response.

So, what is the purpose of ACL (inside_nat0_outbound) for nat exemption configured even for other tunnels in our Firewall though the hitcount of that ACL is Zero. If this doesnt make any sense shall i remnove as only needed syntax is Nat(inside, outside) source static as you configured above?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to srikanth ath

‎12-09-2013 02:56 AM

Hi,

These is a relic of pre 8.3 because as I said this is old syntax so I assume you migrated your config to 8.3 and this is leftover, if this is the case then you can safely delete it.Maybe as a safeguard making the ACLs inactive and verify tunnels are ok then you can delete them.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card