I am moving an existing VPN tunnel from an 8.0(4) ASA to an 8.3(2) ASA appliance and the previous config will not translate over.
In the existing tunnel I am using both Internal NATs to get to the other end of the tunnel and external NATs for the customer to get to internal hosts.
In essence the configuration is like this:
Internal host --> customer server:
SRC 18.104.22.168 --> DST 22.214.171.124
--> After NATing:
SRC 126.96.36.199 DST 188.8.131.52
I have a route that sends all traffic bound to 184.108.40.206 via the VPN peer address, which in 8.0(4) results of the traffic being shoved into the VPN tunnel. In 8.3 the same does not work.
Packet traces show that the VPN lookup is not performed until I add the real SRC IPs intot he cryptomap, which I am trying to avoid as our customer would have to add it into their crypto map and it would defeat the whole idea of NATing in the first place!
I have looked all over the Internet, but cannot find anything besides explanations on how NAT is now different.
In 8.3, you should use real IP in ACL instead of NAT-ed IP.
For example, you have a static NAT to nat 220.127.116.11 to a public IP, in pre 8.3, when you want to permit the incoming traffic to this host, you use the public IP in ACL. But in 8.3, you should use 18.104.22.168.
So, you have to use real IP even it has been NAT-ed. You should see NAT happening in your packet-trace output, on the remote end, they should see NAT-ed IP instead of real IP.
This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server. The syslog server in this example is Spunk but almost any syslog server should be do the job. The ...
NGFW Spring 2020 Releases
It’s official! FTD 6.6, ASA 9.14.1, and FXOS 2.8 have been released. We want to thank the hundreds of team members for the tens of thousands of man-hours dedicated to driving this critical release over the finish line. 120...
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...