Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
3
Replies

Multihomed - Bothway Static NAT

kevindickerson
Level 1
Level 1

‎09-17-2007 01:28 AM - edited ‎03-03-2019 06:47 PM

Hi All,

The situation is I have one VPN concentrator (ASA5505) which is connected through to a 2811, this in turn has 4 ADSL links, there are four sites which connect in to a specific ADSL line on the 2811. I have been able to successfully configure NAT for out bound connections so that connections from the ASA going to site 1 will go out via ADSL link 1 and connections from the ASA goign to site 2 will go out via ADSL link 2. However I have been having difficulties with either site1 or site2 being able to connect back to the ASA, the 2811 is not doing the reverse translation.

We know that the configuration of the ASA's at each end are correct as previously we had a 877 for each ADSL at the main site. But since terminating each ADSL link onto a single 2811 this is where the problems have started.

I have attached the relevant configuration for the router.

Any help would be appreciated.

Labels:
Preview file
2 KB
0 Helpful
3 Replies 3

lgijssel
Level 9
Level 9

‎09-17-2007 03:26 AM

This is because the NAT translation must exist before inbound traffic can be translated.

You will need different static translations to initialize the sessions:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110c03.html#wp1027195

This also means that the VPN sessions cannot terminate on the same ip adress. You will have to assign a unique source adress on the ASA for each session. I have been trying to find info on this but have not been successfull.

I know that the ASA will accept all ip's in the outside subnet but I never tried to terminate a vpn to another adress than the interface. You should try that out yourself.

And another probably helpful link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807fbdc8.shtml

regards,

Leo

0 Helpful

a.alekseev
Level 7
Level 7

‎09-17-2007 03:29 AM

>However I have been having difficulties with either site1 or site2 being able to connect back to the ASA, the 2811 is not doing the reverse translation.

It is not possible if you use "overload" in nat configuration.

0 Helpful

kevindickerson
Level 1
Level 1
In response to a.alekseev

‎09-17-2007 03:48 AM

Unfortunately I do not appear to be able to remove the overload option as the IOS always addeds it back in even if it hasn't been added.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card