Avatar of beardog1113
beardog1113Flag for China asked on

Cisco ASA L2L VPN NAT option

hi Experts

With my Cisco ASA firewall there is L2L VPN connection with client network, my configuration quite similar with below link example, actually there is no any different with this option or not

nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup

Open in new window

 I curious why is that? how can I make it effect?

thank you


https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/215884-configure-a-site-to-site-vpn-tunnel-with.html

CiscoVPNNetworking* ASA

Avatar of undefined
Last Comment
beardog1113

8/22/2022 - Mon
arnold

It would be helpful if you provide detail on what it is you are trying. Providing a link to another configuration.

Which Version of ios is running on your ASA?
The example if for Cisco ASAv running 9.12(3)9
ASKER
beardog1113

hello arnold
I mean with or without the NAT option the connection between both sites no different, connection keep available.
and my ASA version is 9.10(1)42

thanks

arnold

I do not understand.

What are your eying to do?
It us difficult for me to get youhave and are trying to achieve.

Are you trying to have an IP on the  local side that connects through the VPN to another?
Or you are trying to overlay the remote LAN?

When you post a single line as you have with undefined objects it is a guessing game.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
beardog1113

hi arnold
sorry make you confused, let me make it clear, below is relevant VPN configuration on my ASA firewall

object-group network HY_Subnet
 network-object 10.255.30.128 255.255.255.192
object-group network Internal
 network-object 10.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0

access-list HY extended permit ip 10.160.0.0 255.255.0.0 10.255.30.128 255.255.255.192

nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup

route outside 10.255.30.128 255.255.255.192 x.x.x.x 1

crypto map outside-map 10 match address HY
crypto map outside-map 10 set pfs group5
crypto map outside-map 10 set connection-type originate-only
crypto map outside-map 10 set peer y.y.y.y
crypto map outside-map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-map 10 set security-association lifetime seconds 28800

crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 am-disable
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 11
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 12
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 13
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
ASKER
beardog1113

connection between 10.160.0.0/16 and 10.255.30.128/26 without any issue.
remove
nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup
connection between 10.160.0.0/16 and 10.255.30.128/26 still without any issue  
so I think  nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup is redundant? how can I make it effect?

hope you make sense this time.
thank you 
ASKER CERTIFIED SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
beardog1113

hi arnold
see below
ASA-01# sh run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside

have it removed?
thanks

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

No sysopt connection permit-vpn
And the you will control through the
nat (inside,outside) rule
ASKER
beardog1113

ok, will try that later
thank you
ASKER
beardog1113

hi arnold
after "no sysopt connection permit-vpn" the nat (inside,outside) do not control the traffic, same as previous.
any ideas?

thank you
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
arnold

Try also exclude the reclassify-VPN line.
ASKER
beardog1113

hi arnold
not helpful. :(
thanks
arnold

Did you bounce the vpn?


Look at the config example you posted and your config"
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
beardog1113

hi arnold
whats your mean bounce the VPN ?
thanks
arnold

you can disconnet the tunnel to a specific peer

Clear IPSec sa peer <remore gateway ip of peer>


See when it reestablishes whether the changes Made make a difference.
ASKER
beardog1113

hi arnold
still the same and looks like "sysopt connection permit-vpn" only affect the remote access client VPN, without it no matter how VPN filter or group policy or nat configured, remote client VPN have no any connection.
thanks

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
beardog1113

hi arnold
I found this, I have to present below configuration
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit ip VPN-Client-Sub any
access-group outside-acl in interface outside

to make remote access VPN works, and "no sysopt connection permit-vpn" only affect inbound VPN traffic, in another word, connection source from the other end to mine not available except I permit it in "outside-acl", but out outbound traffic there is not any limitation, I suppose the nat (inside,outside) should have it under control but not.
any ideas?
thanks

ASKER
beardog1113

hi arnold
do you have any solutions?
thank you
arnold

I am unsure I understand what you are after.
The interesting traffic is what the tunnel will allow to enter and exit.

Only systems you configure will try to access resources on the remote LAN.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
beardog1113

hi arnold
in my scenario the "nat (inside,outside)" is not operational to control VPN traffic, no matter have it or not there is no different, I thought and need it to be operational, how can I make it then?
thanks

arnold

Once the sysopt directive bypassing nat for VPN traffic, the nat rule is what controls.


But you are saying new requests from the remote site work?

Commonly your ACL allows traffic from your side to go through the tunnel and the  response to comeback.
ASKER
beardog1113

hi arnold
let me make the question to simple, no matter have "sysopt connection permit-vpn" or not, "nat (inside,outside) source static Internal Internal destination static HY_Subnet HY_Subnet no-proxy-arp route-lookup"   doesn't control the traffic.
with nat (inside,outside) option access from local to remote available;
without nat (inside,outside) option access from local to remote also available.
so lets don't considering access from remote any more.
thanks

Your help has saved me hundreds of hours of internet surfing.
fblack61
arnold

Based on the information available, I am unclear what allows the traffic passage.

The link in a way discusses the VPN setup.

Your setup includes something that impacts this.
ASKER
beardog1113

hi arnold
you need the full configuration?
thanks

arnold

Possibly, thought the sysopt answered the call.
But can't think of what other setting, cobfiguration you might have that impacts this behavior.
Possibly 10.0.0.0/8 is defined local ip block.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
beardog1113

thank you