cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
0
Helpful
1
Replies

ASA l2l tunnel, static nat vs Nat 0....

JG1978
Level 1
Level 1

I am seeking some clarification on the correct NAT configuration for l2l tunnel.

 

We have an FTP server that users access direct through outside interface and then a VPN l2l tunnel that also terminates on the outside interface and tunneled traffic/users accesses the same FTP server.

 

Pre 8.3

Scenario: Two 5520 ASA running L2L tunnel. Host side has a private IP server using a static one-to-one NAT so that non tunneled traffic can reach it (FTP server).

 

*****8.2 one-to-one static******

static (DMZ,outside)  <Public IP> 192.168.10.1 netmask 255.255.255.255

*****8.2******

 

Then for the tunneled traffic we use the nat exempt statement with an access list:

 

*****8.2 NAT exempt******

access-list no_nat extended permit ip host <Public IP> host <Remote Server IP>

nat (DMZ) 0 access-list no_nat

*****8.2******

 

After 8.3+ migration the tunnel is broken because the NAT statements did not migrate cleanly. The question I have is that every example that I have seen for l2l tunnel uses NAT exempt via access list  and then uses a nat statement post 8.3 (see below):

 

*****8.3+ version of nat exempt*****

nat (DMZ,any) source static obj-192.168.0.1 obj-<PUBLIC IP> destination static obj-<REMOTE IP> obj-<REMOTE IP> no-proxy-arp route-lookup

*************

*****8.3+ static NAT*****

object network obj-192.168.0.1

     nat (DMZ,outside) static <PUBLIC IP>

*****8.3+ static NAT*****

 

 

What I have found is that since we are using a static one-to-one statement to allow non-tunnel traffic to FTP server, it seems that the nat exempt statement statements are no longer needed and the tunnel still works. 

 

Can anyone clarify this for me? For 8.3+ which NAT is the correct one to use in this scenario?

 

1 Reply 1

JG1978
Level 1
Level 1

So nobody knows which NAT configuration is correct in 8.3+ L2L?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: