Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
1
Helpful
5
Replies

Packet Tracer 5506-X ASA -- IPSec & NAT

LJD4433
Level 1
Level 1

‎10-01-2024 10:23 AM - edited ‎10-01-2024 10:26 AM

Hey all,

I've somehow successfully got an IPSec tunnel up between 2x 5506-X ASAs in packet tracer (something of a miracle for me, although this is using 3DES at the moment which I need to correct) but as soon as I apply a dynamic NAT rule [nat (inside,outside) dynamic interface] to the "object network inside-subnet" the traffic ceases to be piped through the IPSec tunnel.

Okay, that makes sense - so I need to make a NAT exemption rule to ensure the traffic from the internal network uses its static IP address when communicating with the trusted remote network. But this seems to be the pinch point. I found articles like this https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html and this https://www.packetswitch.co.uk/cisco-asa-site-to-site-vpn/

These say to configure the NAT exemption as

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

but PT will only permit

nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0)

So I'm not sure if I'm missing something or if anyone knows another way? Otherwise I think I'll have to fallback to doing the NAT-ing with a router, but I'd hoped to avoid this if I could get the 5506-X to do it all

5506-X.JPG




Labels:
Preview file
3 KB
Preview file
3 KB
Preview file
34 KB
5506-X VPN.zip
0 Helpful
5 Replies 5

Flavio Miranda
VIP
VIP

‎10-01-2024 10:30 AM

@LJD4433 

 Given the limitations of PT, it is probably a good idea to do the NAT on the router. ASA in PT is very limited and will not allow you do byond

nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0)

LJD4433
Level 1
Level 1
In response to Flavio Miranda

‎10-01-2024 02:56 PM

Agreed, I suspect using a Router for NAT is the way to go

0 Helpful

Rob Ingram
VIP
VIP

‎10-01-2024 10:31 AM

@LJD4433 the rule looks ok. When you try to add the NAT exemption rule, does it error? If so what is the error?

I assume the objects (10.2.2.0_24 and 10.1.1.0_24) exist and are correct?

It could just be a limitation of PT.

0 Helpful

LJD4433
Level 1
Level 1
In response to Rob Ingram

‎10-01-2024 02:56 PM

Yeah, if I try and put in the rule as described in the links there's a configuration error and PT rejects it
If I enter the rule as it's pushing me to do, the FW begins blocking pings to the remote net

0 Helpful

MHM Cisco World
VIP
VIP

‎10-01-2024 10:34 AM

Friend 

NAT exemption is option it not mandatory' it use only if you have any NAT apply to ASA outside.

If PT not support NAT dont config it 

MHM

0 Helpful
Customers Also Viewed These Support Documents