Cisco Community
English
Register
LEARN MORE about Cisco's cybersecurity announcements this week
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1149
Views
35
Helpful
17
Replies
Jouni Forss
Jouni Forss Mentor
Mentor
‎01-31-2014 10:48 AM
‎01-31-2014 10:48 AM

ASA Can perform 'policy NAT' but VPNs not work

Thanks,

Have not stayed in US or UK other than for a couple of vacation/work trips. Was at the Cisco Live! 2013 London last year.

The thing is, we start to learn English from age 9 or so at third grade so there has been plenty of time to learn and considering all the TV Series/Movies/Games are in English (atleast the good ones ) its pretty inevitable that you will learn some English. Also same thing with my networking studies, all in English. Main problem is that you tend to get to write it more than actually talk it.

- Jouni

0 Helpful
Reply
Highlighted
tholmes
tholmes Beginner
Beginner
‎02-03-2014 01:53 AM
‎02-03-2014 01:53 AM

Re: ASA Can perform 'policy NAT' but VPNs not work

Hi Jouni,

Just a quick update, and a bit of a strange one but I'm getting these results...

Version 8.6.1

Method 1 :

nat (hostcust01-outside,hostcust01-inside) after-auto source static any any destination static hostcust01-outside-PAT hostcust01-inside-nets

nat (hostcust02-outside,hostcust02-inside) after-auto source static any any destination static hostcust02-outside-PAT hostcust02-inside-nets

These NAT commands work and traffic uses the correct egress depending on source IP

Method 2:

nat (hostcust01-inside,hostcust01-outside) after-auto source dynamic hostcust01-inside-nets hostcust02-outside-PAT destination static ALL ALL

nat (hostcust02-inside,hostcust02-outside) after-auto source dynamic hostcust02-inside-nets hostcust02-outside-PAT destination static ALL ALL

These commands do not work

Upgrade to Version 9.1.1

Once upgraded the opposite to applies, method 1 does NOT work, however, method 2 does

But VPN identity NAT still refuses to work,  whichever IOS is used, so it still can not be deployed in a customer network, the ASA seems to ignore the identity NAT rules even though they are at the top of the NAT list

I'll try to engage TAC

Cheers Tony

0 Helpful
Reply
tholmes
tholmes Beginner
Beginner
‎02-07-2014 03:52 AM
‎02-07-2014 03:52 AM

ASA Can perform 'policy NAT' but VPNs not work

I drew a blank with TAC as they won't open a case for me without a support contract.... to fix the problem in their ASA X series platform :-/

I've worked around the issue by utilising the 2 default contexts and have a dedicated VPN context now (L2L VPN supported in 9.1.1)

So now I've got policy based static nat and L2L VPN working.

Regards Tony

0 Helpful
Reply
Latest Contents
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
How Does Cisco Defense Orchestrator Manage Firepower Threat ...
Created by suhegade on 11-26-2019 09:06 PM
0
0
0
0
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt... view more
How Does Cisco Defense Orchestrator Manage Adaptive Security...
Created by suhegade on 11-26-2019 09:03 PM
0
10
0
10
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here