Thanks tvman_od,
But could you help me understand why the NAT exemptions are required on one asa, but not the other? Is there some global config option to bypass the need for NAT exemptions? on asa2 there are no NAT rules defined, but all VPNs created work perfectly. On asa1, I need to manually define NAT exemptions to get the same VPNs to work.
Main Topics
Browse All Topics





by: tvman_odPosted on 2009-05-14 at 07:58:19ID: 24385679
The answer is in the processing sequience.
/tech/tk64 8/tk361/ te chnologies _tech_note 09186a0080 133ddd.sht ml
Cisco will apply IPSEC before NAT. So you need to instruct NAT not to touch packets for VPN
Full explanations are here:
http://www.cisco.com/en/US