Thursday, June 16, 2011

Cisco ASA 8.3: How To Configure "No NAT'ing" For Remote-Access Clients

Ok, this is a real pain. The new 8.3 code on the ASA has changed, as
Ive indicated in previous postings on this site. One of the things Ive
forgotten about is the remote-access users. I actually had a customer
of mine tell me that they could VPN in, but that they could no longer
RDP to anything anymore. So, guess what? There is not more nonat
Pre-8.3 code:
nat (inside) 0 access-list nonat
Well now, its going to look somewhat different. And to me, its
absolutely almost crazy thinking. However, since they didnt ask me,
here is what I had to do:
8.3 code:
object network LOCAL_LAN <------ Inside Network
subnet <------ Inside Network IP Range
object network REMOTE_LAN
subnet <------ VPN Pool IP Range
nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination
Now here is an explanation of the NAT syntax, because if you are like
me, the NAT statement makes no sense:
nat (real interface,mapped interface) source static [real_object]
[mapped_object] destination static [real_object] [mapped_object]
So, when I put this in on my customer, I could then get to what I needed
to again. All is good.