06-02-2008 11:57 PM
Hi Cisco Engineers,
ive heard from the training videos (cbt nuggets)that with mixing VPN and NAT configuration, you must excluded the ip address from being NAT(ed) to be able to accross VPN going to the other side, do i make sense?
i want to set site to site vpn and all the clients behind these router are able to surf the internet and it is permitted using NAT. please help to enligthen these from the video training that ive seen.
any documentation should i followed when it comes to configuration.?
Hoping for your future response
thanks,
lester
06-03-2008 03:12 AM
Hi,
This is simple. After you have created the Site-to-Site VPN tunnel, you need to add a NAT Rule - NAT-Exempt so that the traffic is NOT being NAT't.
From the ASDM, Configure - Firewall - NAT Rule and add a NAT-Exempt Rule to the interface that you NAT network is behind. Source is your network and destination is remote network.
Hope this works
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/cfgnat.html#wp1043541
06-03-2008 07:19 AM
A simple IOS example:
ip access-list extended nat-src
remark --- Inside source addresses dynamically translated via PAT overload.
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
The first ACE would exclude tunnel traffic (192.168.1.0 near side, 192.168.2.0 far side) from the NAT process.
The second ACE would NAT any traffic not being sent to far side addresses (through the tunnel).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide