Could you elaborate on your last sentence about the static one-one translations from the client pc. I don't quite understand. Thank you very much.

it may not apply in your case, but will give you an example, we have clients where we have to vpn into their DMZs to give them support in our products, these outside clients only allow specific public IPs into their DMZ, so what we have is VMs server as our vpn client machines each with unique one-to-one local to public NAT translations, the othe end only allows these public IPs. In other words the other side is not wide opened to any other IPs from our public block or any other blocks, that is what I meant on the " verify one to one nat translation" .

Rgds

Jorge

Thanks for your help and patience Jorge! I did manage to get the AT&T VPN Client to work.

I need to read up on NAT to fully understand its function. Thanks again and have a good day!

Randy, I am glad you got all resolved.. you are always wellcome.

Here are two very good links on NAT/PAT

ALL NAT scenarios, config examples on NAT IOS or PIX/ASA.

http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html

Q&A on NAT

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#intro

Rgds

Jorge

I spoke too soon about the NAT. In order for the AT&T VPN to work I needed the following Static NAT statement:

STATIC (inside,outside) interface 172.16.3.31 netmask 255.255.255.252 tcp 0 0 udp 0

When I issue this statement I get a warning

"all services terminating at outside interface are disabled interface"

The VPN client works but my VPN clients can no longer connect. If I remove the STATIC NAT command it fixes my VPN clients but breaks the AT&T VPN from 172.16.3.31

This sounds like a nat-traversal problem. Does your AT&T Client and remote peer support nat-t?

When you create that static you can no longer peer to your outside interface for your outside vpn clients, but you are able to connect with the AT&T client because nat-t is not required when you are not pat'ing. Do you have any more public addresses?

Forgive my stupidity but I know just enough to be dangerous when it comes to our ASA5510 and setting it up. We only have one public ip address given to us by our ISP (Stratus Wave). I created a group object on the ASA that contains all the ip addresses given to me by the AT&T VPN people (GIGS?) I allowed ESP traffic on the outside interface using an ACL. My problem is getting the correct STATIC NAT command to accomodate the traffic for the AT&T VPN but to allow my outside VPN clients to still connect. Hope this helps!

Yes, this is what I understood.

For esp packets to go through nat you either have to use a 1 to 1 static which you did above using your outside interface or use nat-traversal. If the AT&T client or the peer which the AT&T clients are connecting to do not support nat-t, then you would have to use a 1 to 1 static so the clients are not natted. The problem with that for you is that you only have 1 public ip address, the outside interface address of your ASA. Therefore, when you create that static, any traffic directed to the outside interface address, your outside vpn clients for example, will not work as this traffic is being forwarded to the host in your static statement. Hope that makes more sense.

Thank you for clarifying. It makes perfect sense in how you worded it. I'm not familiar with nat-traversal and how to implement it though.

I verified from AT&T that their VPN does in fact support nat-t and it is turned ON in their client. Can you help me implement this using our ASA5510? Thank you!

You don't need to do anything on the ASA for outgoing vpn's. For incoming VPNs to the ASA you can enable nat-t with the command "crypto isakmp nat-traversal". You may very well already have it in there since you're not having issues with the inbound vpn clients. Maybe nat-t isn't your issue, but it sure sounded like it.

Do you want to post a sanitized config from the ASA?

edit: The important thing for nat-t in your ASA is to allow udp 4500 outbound, which it looks like you've already done.