ASA VPN Config - A question from the past :-)

Unanswered Question
Aug 5th, 2010

Hi All

It's been "a while" since I've been near an ASA for VPN configuration purposes, indeed I think it was running 6.something and still called a Pix :-)

Anyhow, I (vaguely) remember it used to be the case that when you had an/some existing L2L ipsec VPN config and you wanted to change/add/whatever to it, planning in things like removing the crypto map from the outside interface first was A Good Idea if one wanted to avoid days of headscratching as to why a perfectly reasonable modification screwed the whole thing over - does that still apply, or is it all a bit more stable/forgiving nowadays?

Bonus question:

If you have a scenario say, similar to "L2L with overlapping networks", is it possible to have a many-to-few policy NAT?  For instance, instead of  the example given in the config docs:

access-list policy-nat extended permit ip
static (inside,outside)  access-list policy-nat
is it possible in any way to run your internal network of into a smaller range?
If not everything in the internal network will be going via VPN, could something like

access-list policy-nat extended permit ip
Would that NAT...
...the first x addresses of the subnet, 1-to-1 (i.e. >
...the first addresses 'seen' to traverse the tunnel (which is what I'd like to happen) like maybe -> -> etc... (and presumably tough luck if you're internal host #15)
or, as i suspect, is such a thing not even possible



Circa 1994 :-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nitin Agarwal Mon, 08/09/2010 - 10:51


Yes ASA is much stable to the problem that you referred. To answere your second question you may pat the tunnel traffic to even a single ip address with policy nat statement, but then this will be a uni-directional tunnnel.


Nitin Agarwal


This Discussion