Nat Exemption with multiple interfaces

Answered Question
Apr 28th, 2008

Hi, I am running v8 of the PIX software with the following config:

inside interface - sec level 100

outside1 interface sec level 0

outside2 interface sec level 2

My question is this, if I have a single nat exemption statement i.e. 'nat (inside) 0' and 2 outside interfaces should the nat exemtion statement work for traffic destined for both interfaces?

I currently have several IPSEC VPN tunnels configured, and I have switched one of the tunnels over to use the outside2 interface with a new IP address. The tunnel comes up, the remote users can connect in to my network fine, however, I can't connect to the remote users. Packet tracer in ASDM shows that my traffic matches the NAT exempt statement and it shows the traffic as going from inside to outside1 and not to outside2.

The remote end has no restrictions on the VPN tunnel.

Any help would be greatly appreciated.

Thank you

I have this problem too.
0 votes
Correct Answer by michelcaissie about 8 years 8 months ago

My guess would be that your problem is not related to your nat 0 statement but is a routing problem.

Before a packet can trigger a crypto-map associated to an interface , it must be routed though this interface.

If your default route is on outside1 you will need a specific route on outside2 for your tunnel traffic

Try to add ;

route outside2 [inside IP] [remote inside IP] [outside2 gateway]

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
michelcaissie Fri, 05/02/2008 - 11:58

My guess would be that your problem is not related to your nat 0 statement but is a routing problem.

Before a packet can trigger a crypto-map associated to an interface , it must be routed though this interface.

If your default route is on outside1 you will need a specific route on outside2 for your tunnel traffic

Try to add ;

route outside2 [inside IP] [remote inside IP] [outside2 gateway]

Actions

This Discussion