Thanks. I am using 8.3+ and already figured out the NAT Exemption part. I need that for some hosts, not entire networks as shown in the document. What it does not show is how to NAT Exempt some hosts, and PAT all the remaining traffic.
Thats exactly what the example does. The Exemption only works when an internal host tries to reach the remote VPN-address. Everything else is translated by your remaining NAT-rules. And don't forget that NAT-Exemption is basically a routing-function and not an access-control-function.
I thought your PAT was already running and you only have problems with the Exemption ...
Here is an example how I do it on my personal ASA:
object-group network RFC1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
nat (any,outside) source static any any destination static RFC1918 RFC1918 description NAT-Excempt for VPN
nat (any,outside) after-auto source dynamic any interface
I use this object-group because I know that all my VPN-destinations are in the RPC1918-range and they shouldn't bee natted.
The NAT-rules are processed from top to bottom. So when a packet comes from any interface and gets routed ou the outside interface, then it is compared against the two rules. in the first rule we have a source of any and a destination of RFC1918, that only can be VPN traffic. The NAT is exempted as the translated address is the same as the real address in the rule. If the traffic doesn't match then the next rule is compared where I only match on the source of any. That trafic is translated to the interface-IP of my ASA.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...