10-17-2017 08:11 AM - edited 03-12-2019 04:38 AM
Can someone assist with this scenario?
I need to have ALL traffic (including Internet) route over a VPN BUT I need to exclude some specific traffic so it gets Natted locally.
I've tried to do this by adding a n DENY on my ACL but can't seem to get it to work.
Thanks.
Solved! Go to Solution.
10-17-2017 09:00 AM
Hello @George Rodriguez,
If I´m not mistaken, you want some traffic to be hit the NAT on the ASA and not through the VPN tunnel. You need to remove the deny you added on the encryption domain and play with the NAT statements:
Since your first NAT is from your internal to ANY, you should get a new NAT for the object OS_Subnet first in order to perform the NAT on your ASA and not on the remote, this will avoid the traffic to go to the remot end.
nat (inside,outside) 1 source dynamic LAN_Subnet interface destination static OS_Subnet OS_Subnet
nat (inside,any) 2 source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup
With this configuration, if your internal subnet hits the OS_Subnet object it will be translated to you outside interface, the rest of the traffic will remain unstranslated and will go through the VPN tunnel.
HTH
Gio
10-17-2017 08:23 AM
Hello @George Rodriguez,
What kind of VPN tunnel are you deploying, also can you share your config?
Gio
10-17-2017 08:38 AM - edited 10-17-2017 08:41 AM
Its a site to site vpn
here is the relevant config
I assumed adding the DENY on the ACL would prevent the traffic. It seems like it is but I suspect the traffic is not being NAT'd
object network LAN_Subnet
subnet 10.2.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network REMOTE_SUBNETS
network-object 10.0.0.0 255.0.0.0
object-group network OS_Subnet
I left out for security reasons
access-list INTERESTINGTRAF extended deny ip object LAN_Subnet object OS_Subnet
access-list INTERESTINGTRAF extended permit ip object LAN_Subnet object-group obj_any
nat (inside,any) source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup
crypto map DataCenter 20 match address INTERESTINGTRAF
crypto map DataCenter 20 set peer x.x.x.x
crypto map DataCenter 20 set ikev1 transform-set TSET
crypto map DataCenter interface outside
object network obj_any
nat (inside,outside) dynamic interface
10-17-2017 09:00 AM
Hello @George Rodriguez,
If I´m not mistaken, you want some traffic to be hit the NAT on the ASA and not through the VPN tunnel. You need to remove the deny you added on the encryption domain and play with the NAT statements:
Since your first NAT is from your internal to ANY, you should get a new NAT for the object OS_Subnet first in order to perform the NAT on your ASA and not on the remote, this will avoid the traffic to go to the remot end.
nat (inside,outside) 1 source dynamic LAN_Subnet interface destination static OS_Subnet OS_Subnet
nat (inside,any) 2 source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup
With this configuration, if your internal subnet hits the OS_Subnet object it will be translated to you outside interface, the rest of the traffic will remain unstranslated and will go through the VPN tunnel.
HTH
Gio
10-17-2017 09:05 AM
So the 1 & 2 will give the NAT statements a priority? That makes sense. I'll give that a shot.
10-17-2017 09:36 AM
Hello @George Rodriguez,
Yes, the number after the interfaces is to place the NAT statements where you want it and not last as default behavior.
Let me know when you do the test.
Gio
10-17-2017 11:29 AM
I added the NAT statements as suggested and it works!!
Thank!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide