06-17-2013 06:07 AM
Hello, I have two ASA's doing a site to site tunnel, one with 8.2 code and one with 8.4. I don't have the config handy but I believe I know where the issue is. On the ASA with 8.2 code we have 3 networks inside. I believe that is ok. On the 8.4 ASA I have one network inside which is 10.50.0.0/24. The site that has the 8.4 works on the VPN side if I remove the dynamic NAT but then the internet there breaks. If I add the the dynamic NAT the internet works but the VPN breaks. I believe I need a dynamic NAT and a NAT exemption for the 10.50.0.0/24 network so the tunnel will work. Can you tell me the statement I would need?
Thanks,
Dave
06-17-2013 06:16 AM
Hi,
I think that your NAT ordering/configuration format is probably causing the problem. You have probably configure the Dynamic PAT at the 8.4 site with too high priority.
If I presume the following base information for site 8.4
Then you should be fine with the following configurations
Dynamic PAT for LAN networks
object-group network DEFAULT-PAT-SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
NAT0 for the L2L VPN connection
object network REMOTE-LAN
subnet 10.50.0.0 255.255.255.0
object-group network LOCAL-LAN
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
The above configurations should handle the default Dynamic PAT for Internet traffic and the NAT0 for the L2L VPN connection between the sites.
Hope this helps
Please remember to mark the reply as the correct answer if it answered your question.
Ask more if needed
- Jouni
06-17-2013 06:35 AM
Hi JouniForss, thank you for your reply. I just want to make sure I understand correctly. The ASA with 8.4 code has a local network of 10.50.0.0/24. The remote network would be the ASA with 8.2 code and those networks can be 10.10.10.0, 10.10.20.0, and 10.10.30.0 as you said. Is the configuration above only for the ASA with 8.4 and if so I would just have to switch the object-group network DEFAULT-PAT-SOURCE to only the 10.50.0.0/24 and the local and remote networks would have to be swapped correct?
06-17-2013 06:48 AM
Hi,
Sorry I mixed up the sites which had 1 and 3 networks
Here is the correct example configuration
object-group network DEFAULT-PAT-SOURCE
network-object 10.50.0.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
object network LOCAL-LAN
subnet 10.50.0.0 255.255.255.0
object-group network REMOTE-LAN
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
nat (inside,outside) source static LOCAL-LAN LOCAL-LAN destination static REMOTE-LAN REMOTE-LAN
- Jouni
06-17-2013 07:50 AM
Thanks Jouni, we may be implementing this later on.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide