Stumped...5505 NAT issue

Unanswered Question
Jun 5th, 2007

I'm going to go bald early if I don't ask for a hint with this one.

Here is my config:

sho run

: Saved


ASA Version 7.2(2)22


hostname 5505


enable password xxx



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd xxx

ftp mode passive

dns server-group DefaultDNS


access-list traffic extended permit ip any any

access-list traffic extended permit icmp any any

access-list nonat extended permit ip any

access-list 100 extended permit ip any

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 tcp 5000 500 udp 5000

access-group traffic in interface inside

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address 100

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

prompt hostname context


: end


The other end is a 5510.

Goal - ping accross the VPN tunnel between hosts at each end.

Problem - pings are only succesful after removing the following command: nat (inside) 10 tcp 5000 500 udp 5000

The problem with that is after the command is removed I can no longer browse the web from the inside.

I believe the problem lies with the incomming packets...the ASDM shows a NAT error. The strange part is that the 5510 has the same NAT rules are works fine....heck, I have an ASA 5510 in the field with the same rules that is working fine.

I don't get it.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion