VPN issue on ASA

Unanswered Question
Aug 1st, 2007

I am trying to configure a remote access vpn on a PIX ASA (8.x code). The ASA also has a site to site vpn terminating to it. I've got the remote subnet that comes in over the site to site tunnel working so that it there is no NAT when talking to the inside subnet off the ASA. However, I'm also trying to bypass NAT for the remote access subnet (assigned ip's through a pool). Near as I can tell when I successfully connect via the Cisco VPN client, I cannot communicate with the inside subnet off the ASA. When I issue a ping from the vpn client to a host on the inside of the ASA, I can see the reply come back from the host but instead of bypassing NAT on the ASA, it gets translated to the outside interface address (as if it was the inside host initiating a connectiion to the outside world). I've never setup an ASA to do both site to site and remote access, so I've probably messed something up. Like I said, the site to site connection works fine, it's the remote access that fails to bypass NAT. I'm attaching the config. any help is appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Wed, 08/01/2007 - 04:29

no crypto map mcmap 22 ipsec-isakmp dynamic dyn1

crypto map mcmap 1 ipsec-isakmp dynamic dyn1

dynamic map entries should be on top in priority sequence.

Also, I don't think you need to set reverse-route because you're not running rip or ospf on the firewall so it doesn't really matter (although I dont think it's hurting anything).

And per the other poster below, change your vpn pool and the corresponding nonat acl entry - that's definitely not helping.

mattiaseriksson Wed, 08/01/2007 - 04:30

Why are you using addresses from the GigabitEthernet0/2 interface for the vpn pool?

And you should not use the nonat ACL for the L2L tunnel, create a new one that only defines the tunnel traffic and not the remote vpn pool.

matthewmphc Wed, 08/01/2007 - 05:15

thanks both for the replies. Ok, I changed the pool to a network. But if I change the L2L tunnel nat, how do I also do a separate NAT 0 for the remote access tunnel. I can only put in one nat 0 statement. I need the L2L tunnel subnet ( to access the inside without NAT, and I need the remote access tunnel subnet ( to access the inside without NAT. How do I accomplish this? thanks again

srue Wed, 08/01/2007 - 05:22

leave your nonat statement alone for the L2L tunnel. its fine.

ahsankhan Wed, 08/01/2007 - 09:21

I see a problem with nonat acl subnet,

access-list nonat extended permit ip

inside interface has subnet of

matthewmphc Wed, 08/01/2007 - 09:51

Thanks, I corrected it but the remote access vpn is still not working. Looks like when the vpn client initiates a connection inside I see it happen in the logs, but when the response comes back its getting PAT'd to the interface address.

what I don't understand is how does the remote access vpn know not to NAT? With the L2L vpn, you define the "match" statement and tell it to use the nonat acl.

mattiaseriksson Thu, 08/02/2007 - 02:39


Your NAT related config should look like this:

access-list nonat extended permit ip

access-list nonat extended permit ip

access-list l2l_vpn extended permit ip

crypto map mcmap 21 match address l2l_vpn

no crypto map mcmap 21 match address nonat


global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1

Do not forget to issue "clear xlate" after any change to NAT config.

matthewmphc Thu, 08/02/2007 - 09:16

Thank you for your assistance. It is now working fine. My mistake apparently was not creating a separate acl for the L2L match statement in the crypto map.


This Discussion