Solved: 9.0 can a dynamic nat be used over ipsec vpn?

Chris Izatt · ‎04-21-2015

9.0 can a dynamic nat be used over ipsec vpn?

we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL.

we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same.

Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn.

So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code.

Thanks

rizwanr74 · ‎04-22-2015

Have you included the natted ip address or range into the crytop acl?

Have you permitted natted ip address or range in the other end of the tunnel?

View solution in original post

rizwanr74 · ‎04-22-2015

Have you included the natted ip address or range into the crytop acl?

Have you permitted natted ip address or range in the other end of the tunnel?

Chris Izatt · ‎04-24-2015

I didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time.

Yes it seems that you need the nat ip like always. Should have just went with my gut on that.

Thanks