[c-nsp] ASA - packets tripping on NAT rule?

Michael K. Smith - Adhost mksmith at adhost.com
Thu Jul 12 13:36:49 EDT 2007


Hello Justin:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Justin M. Streiner
> Sent: Wednesday, July 11, 2007 6:49 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA - packets tripping on NAT rule?
> 
> I'm configuring a new ASA 5505 at a remote site and have a
site-to-site
> VPN working between the main office and the remote site.  Users were
> experiencing problems reaching a server at the remote office over the
> VPN
> tunnel, and when I did a packet trace, I saw traffic failing at the
> last
> step, which was a NAT rule check.  This struck me as very odd since
> traffic that traverses the VPN tunnel is exempted from having NAT.
> 
> Has anyone run into anything like this before?
> 
> I have a sneaky suspicion this is going to be something dumb :(
> 
I think you have to actually tell the ASA not to NAT the traffic from
your VPN connections to your servers.  Using this example:

Server Net: 192.168.1.0/24
VPN Net: 192.168.2.0/24

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
nat (inside) 0 access-list nonat

Without that, all traffic, including that of your VPN's, will hit the
"nat (inside) 1" rule.

Regards,

Mike
mksmith at adhost.com (work)
mksmith at mac.com (!work)



More information about the cisco-nsp mailing list