cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
237
Views
1
Helpful
5
Replies

Packet Tracer 5506-X ASA -- IPSec & NAT

LJD4433
Level 1
Level 1

Hey all,

I've somehow successfully got an IPSec tunnel up between 2x 5506-X ASAs in packet tracer (something of a miracle for me, although this is using 3DES at the moment which I need to correct) but as soon as I apply a dynamic NAT rule [nat (inside,outside) dynamic interface] to the "object network inside-subnet" the traffic ceases to be piped through the IPSec tunnel.

Okay, that makes sense - so I need to make a NAT exemption rule to ensure the traffic from the internal network uses its static IP address when communicating with the trusted remote network. But this seems to be the pinch point. I found articles like this https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html and this https://www.packetswitch.co.uk/cisco-asa-site-to-site-vpn/

These say to configure the NAT exemption as

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

but PT will only permit

nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0) 

So I'm not sure if I'm missing something or if anyone knows another way? Otherwise I think I'll have to fallback to doing the NAT-ing with a router, but I'd hoped to avoid this if I could get the 5506-X to do it all

5506-X.JPG




5 Replies 5

@LJD4433 

 Given the limitations of PT, it is probably a good idea to do the NAT on the router. ASA in PT is very limited and will not allow you do byond

nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0)