Cisco ASA NAT – ‘sh run global’ and ‘sh run nat’ Yield No Output

ciscocisco-asanat;vpn

As the topic says, I'm investigating NAT on a clients ASA – it's running old 7.2 train code – I execute 'sh run global' and 'sh run nat' – the latter command only returns a single nat 0 line.

When I do a 'sh run | b static' (which I thought would've shown up under one of the previous two commands!) I get a long list of policy based nat in the format of 'static (outside,inside) x.x.x.x access-list ' Which is what I would expect to have seen from one of those previously attempted commands.

What commands need to be run to see everything involving nat on a 7.2 ASA? I am not seeing any kind of DST nat (which I expect in this particular case) for the tunnel I'm looking at, but yet the tunnel is up and passing traffic, so it's happening somewhere!

Thank you in advance!

Best Answer

show global
show nat
show static
show conduit (unless you've switched to ACLs)

Of course, that's going to be 90% of the entire configuration anyway. (more if pdm isn't enabled, thus flooding the config with pdm location ...)

Related Solutions

Cisco ASA 5506-X – Site-to-Site VPN Tunnel – Fixing Return Traffic Drops

You won't be able to test a VPN using packet-tracer from remote to local, a drop is expected if you do so. I believe it's due to the expectation that the traffic would be encrypted, receiving an unencrypted packet (even through simulation) is dropped per security. (if I can get it set up on my lab, I'll test this out as well.) EDIT tested in lab as well, sourcing from remote will drop when testing VPN. If anyone else has had a different experience, please let me know.

Cisco ASA – Resolving NAT/ACL Issues Across EZVPN

Here's the solution after a lot of pounding my head against this problem: 1) Take out the nat statements at Location B since they interfere with the VPN tunnel:

nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Location_A_Networks Location_A_Networks no-proxy-arp route-lookup
nat (inside,outside) source static Location_B_Networks Location_B_Networks destination static Remote_DMZ Remote_DMZ no-proxy-arp route-lookup

2) Keep the DMZ statement in the split tunnel ACL:

access-list ezvpn_split extended permit tcp object-group DMZ_Servers object (location B)-remote_network

3) I had the access list entry switch around for no good reason. It was this:

access-list dmz_access_in extended permit tcp object (location B)-remote_network object-group DMZ_Servers eq https

when it should have been this:

access-list dmz_access_in extended permit tcp object-group DMZ_Servers object (location B)-remote_network eq https

Best Answer

Related Solutions

Cisco ASA 5506-X – Site-to-Site VPN Tunnel – Fixing Return Traffic Drops

Cisco ASA – Resolving NAT/ACL Issues Across EZVPN

Related Topic