VPN - NAT help needed

Unanswered Question
Dec 19th, 2007
User Badges:

This is what I have.

Internal Network:

Outside patted interface:

ASA5520 setup for VPN.

ASA5520 gives out IP

Split-tunneling is enabled and tunnels

In the split-tunnel list I also add a public IP

I connect with the VPN and get IP which is correct.

I see that VPN has created routes for me: / 24 via / 16 via / 24 via

My objective is to access from the VPN as if it is comming from the patted ( outside interface on the firewall.

Using the VPN wizard I get an exemption for any traffic to

Keep in mind all traffic uses pat for internet access.

I try accessing on port 80 and get this.

6|Dec 19 2007|14:25:08|106015|||Deny TCP (no connection) from to flags ACK on interface outside

6|Dec 19 2007|14:25:06|302013|||Built inbound TCP connection 224060 for outside: ( to outside: ( (user)

Is there anyway I can fix this with out disabling split-tunneling?

Do I need some natting somewherE?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Wed, 12/19/2007 - 11:51
User Badges:
  • Green, 3000 points or more

So what you are saying is that you have something like this...

static (inside,outside) 192.168.x.x netmask

If so then you will need to do something like this to your nat exemption acl...

access-list nat0 extended deny ip host 192.168.x.x

access-list nat0 extended permit ip

The problem is the traffic from the server to the vpn client is exempted from nat, adding the deny statement will allow it to be natted.


This Discussion