×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 8.3(1) nat exemption for L2l VPN

Answered Question
Dec 8th, 2013
User Badges:

                   Hello Expert,

I hve a cisco asa running 8.3(1) version.


I have a succesffull L2L tunnel between two sites. but, im confused about the nat exemption used here. An acl is defined stating the interesting traffic of two sites using the tunnel should be nat exempted and is configured as below in rectangular boxes.


The ACL created doesnt have a statement to be nat exempted nor it is applied to any interface.

nat (inside) 0 access-list inside_nat0_outbound


## Configure NAT Exempt ACL

access-list inside_nat0_outbound extended permit ip object-group ET_LOCAL object-group ET_REMOTE


object-group network ET_LOCAL

network-object host 10.x.x.x


object-group network ETS_REMOTE

network-object host 64.x.x.x

Correct Answer by cadet alain about 3 years 8 months ago

Hi,

These is a relic of pre 8.3 because as I said this is old syntax so I assume you migrated your config to 8.3 and this is leftover, if this is the case then you can safely delete it.Maybe as a safeguard making the ACLs inactive and verify tunnels are ok then you can delete them.


Regards


Alain



Don't forget to rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cadet alain Sun, 12/08/2013 - 23:40
User Badges:
  • Purple, 4500 points or more

Hi,

The syntax with the ACL and NAT 0 is pre-8.3 syntax.

For post-8.2, the syntax should be:

nat(inside,outside) source static ET_LOCAL ET_LOCAL destination static ETS_REMOTE  ETS_REMOTE


Regards


Alain



Don't forget to rate helpful posts.

srikanth ath Mon, 12/09/2013 - 01:32
User Badges:

Hi alain,


Thanks for the response.


So, what is the purpose of ACL (inside_nat0_outbound) for nat exemption configured even for other tunnels in our Firewall though the hitcount of that ACL is Zero. If this doesnt make any sense shall i remnove as only needed syntax is Nat(inside, outside) source static as you configured above?

Correct Answer
cadet alain Mon, 12/09/2013 - 02:56
User Badges:
  • Purple, 4500 points or more

Hi,

These is a relic of pre 8.3 because as I said this is old syntax so I assume you migrated your config to 8.3 and this is leftover, if this is the case then you can safely delete it.Maybe as a safeguard making the ACLs inactive and verify tunnels are ok then you can delete them.


Regards


Alain



Don't forget to rate helpful posts.

Actions

This Discussion