10-01-2024 10:23 AM - edited 10-01-2024 10:26 AM
Hey all,
I've somehow successfully got an IPSec tunnel up between 2x 5506-X ASAs in packet tracer (something of a miracle for me, although this is using 3DES at the moment which I need to correct) but as soon as I apply a dynamic NAT rule [nat (inside,outside) dynamic interface] to the "object network inside-subnet" the traffic ceases to be piped through the IPSec tunnel.
Okay, that makes sense - so I need to make a NAT exemption rule to ensure the traffic from the internal network uses its static IP address when communicating with the trusted remote network. But this seems to be the pinch point. I found articles like this https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html and this https://www.packetswitch.co.uk/cisco-asa-site-to-site-vpn/
These say to configure the NAT exemption as
nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup
but PT will only permit
nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0)
So I'm not sure if I'm missing something or if anyone knows another way? Otherwise I think I'll have to fallback to doing the NAT-ing with a router, but I'd hoped to avoid this if I could get the 5506-X to do it all
10-01-2024 10:30 AM
Given the limitations of PT, it is probably a good idea to do the NAT on the router. ASA in PT is very limited and will not allow you do byond
nat (inside,outside) static Single_IP_Address (i.e. 10.1.1.0)