The access list that was created identifies what traffic should be encrypted. Because the traffic does not match the ACL, it is not encrypted. So what happens to unencrypted traffic? It depends. In this particular case, that traffic will be forwarded by ASA1 and it will reach ASA2 because routing between ASA1 and ASA2 will send that traffic correctly. Now, once that traffic reaches ASA2, it will be dropped by ASA2 simply because there is no rule that allows that traffic to enter and be forwarded.
Not quite. The goal is to exempt traffic between 192.168.1.0/24 and 192.168.2.0/24 from being translated. When this happens, such traffic matches the ACL, and is encrypted and it reaches its destination. If you were to have an ACL in ASA2 that accepts such traffic, it may reach S2, but the problem is that such traffic remains unencrypted which is not what we want. It may resolve the connectivity problem, but it does not result in the scenario we want.
I had to append " no-proxy-arp route-lookup " to the command "nat (inside,outside) source static INSIDE INSIDE destination static LAN 2 LAN2 " (same for the second ASAV) to make it work.
If you use the IP addressing scheme as shown in the lesson, you should not need to add these two commands. It should work fine without them.
However, if you have modified the addressing scheme, you may need to add them for a couple of reasons. First of all, the no-proxy-arp keyword disables proxy ARP for that particular NAT rule. If there are overlapping subnets or certain complex network scenarios, then this command is needed to make it work.
Similarly, the route-lookup keyword instructs the ASA to force a route lookup to determine the egress interface instead of using the interface specified by the NAT rule. By default, the ASA uses the OUTSIDE interface defined in the NAT rule. If you are connecting the ASAs via another interface, then this may be why this keyword was necessary.
In any case, take a look at your config again to verify that there is no IP address overlap, and that the proper interfaces are being referenced in your NAT rulesā¦
Thanks for the explanation.
I didnāt change anything on my config but now it works well without no-proxy-arp route-lookup. Sometines itās good to shutdown/clear everything (like bgpā¦), thanks again.