Solved: Looks good. I typically use

filip00011 · ‎01-01-2016

I'm trying to do VPN tunnel between IOS router and ASA 5505. The ASA has a dynamic IP

Everything would be ok, but I don't understand new NAT commands in ASA. Can you tell me how to convert this into 8.3-4 version?

access-list NO-NAT extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

I'm using this link

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/82077-ipsec-pix-iosroutr-nat-config.html

Thank you for any help.

Karsten Iwen · ‎01-01-2016

Take a look at the following document where you find nearly everything about the new NAT-model:

Especially "NAT0 / NAT Exemption / Identity NAT" in the part "TWICE-NAT-MANUAL-NAT" is relevant for this task.

Karsten Iwen · ‎01-01-2016

Take a look at the following document where you find nearly everything about the new NAT-model:

Especially "NAT0 / NAT Exemption / Identity NAT" in the part "TWICE-NAT-MANUAL-NAT" is relevant for this task.

filip00011 · ‎01-01-2016

so is this correct? can you compare it with the picture please?

object network obj-0.0.0.0.0
subnet 0 0

nat (inside,outside) dynamic interface

object network NAT-SOURCE
subnet 10.10.10.0 255.255.255.0

object network NAT-DESTINATION
subnet 192.168.60.0 255.255.255.0

nat(inside,outside) source static NAT-SOURCE NAT-SOURCE destination NAT-DESTINATION NAT-DESTINATION

Karsten Iwen · ‎01-02-2016

Looks good. I typically use two little modifications:

1) I add the parameters "no proxy-arp route-lookup" to the identity nat which is sometimes needed with newer versions.

2) I configure my dynamic PAT in section 3:

nat (any,outside) after-auto source static any interface

With 2) the config looks a little bit cleaner when there are also some port-forwardings.

ASA NAT in 8.4