Question : Cisco ASA Clientless SSL VPN: NAT exempt on same IP range

Below is from another Expert member:

1) With normal cisco client VPN the IP address pool is a pool of IP addresses which are on a separate logical network than the ip addresses used internally. In this example they are using IP addresses within the inside interface IP range.

2) I have to add a nat exclusion for the IP address pool I was using even though I followed the example and used IP addresses beonging to the inside interface IP range. The cisco example did not show this.


I am confused about:

For 1)
In the case of Clientless SSL VPN, is it a requirement to define a separate VPN IP pool?
What happens if you don't define a separate VPN IP pool?
Does it use the default Inside interface IP range if you don't define a separate VPN IP pool?

For 2)
Can I define a NAT exclusion even though the IP address of the Clientless SSL VPN used belongs to the Inside interface IP range?

e.g. Inside interface IP range = 192.168.1.0 255.255.255.0
If I don't define a separate VPN IP pool then (assuming this works) can I define a NAT exclusion similar to

access-list no_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no_nat

?

Many thanks

Answer : Cisco ASA Clientless SSL VPN: NAT exempt on same IP range

Yes, you can simplify with this:

access-list no_nat permit ip any 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no_nat

Or even simpler:
 no nat-control

You also have to make sure that proxyarp is enabled on the inside interface. I typically disable it on inside.

I don't think the clientless vpn actually gets any IP address. Everything is through the ssl portal, unless you're talking about the downloadable client..