VPN Client on the inside of ASA

Unanswered Question
Mar 5th, 2008
User Badges:

I have an ASA 5510 with multiple site-to-site VPNs. I have these global and NAT statements

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

This is working fine as is.


I need to load an ATT VPN client on an inside PC to access a number of servers on the ATT network. They have given me a list of ports and servers that this client need to access. See my config (access-list 110)in the attached file -asaconfig.


Seems like in addition to the access list I need a static translation for the PC running the VPN client and these ports should be open to that translated address. As soon as I add the static translation for the inside PC (192.168.1.32 to 64.185.19.13) this inside PC stops being able to access the internet. I have tried adding a second global pool -

global (outside) 102 64.185.19.13-64.185.19.14 and a nat(inside) 102 192.168.1.32 255.255.255.255 but this still does not allow outside access.


Am I wrong in thinking I need a static translation and why does Internet access cease after the translation?



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
onlyabhishek007 Thu, 03/06/2008 - 01:25
User Badges:



hi


when u configured the static natting for the pc then pc will be able to access the internal fron inside to outside . but it need outside to inside access through access-list.

lalsingh Thu, 03/06/2008 - 14:32
User Badges:

Thanks for the reply.


I tried that. I did the static nat -


static(inside,outside) 64.185.19.13 192.168.1.32 netmask 255.255.255.255

and

access-list 110 extended permit ip any host 64.185.19.13 (for testing purposes.)

This is an existing outside to inside access list. Whith these two commands the PC with internal IP 192.168.1.32 is unable to access the internet.

wasiimcisco Thu, 03/06/2008 - 16:02
User Badges:

dont mix up the things. Earlier you want to access inside to dmz and vice versa.


Just do it step by step.


first verify that you are your pix has defualt route and ping the ISP from pix. then from client ping pix inside interface.


then configure static no need to configure access-list for Internet access.


Give the client with dns address of ISP if you have no local dns. try with ISP provided DNS on client pc.


if not work then do with nat


nat (inside) 1 0 0

global(outside) 1 interface


ip route 0.0.0.0 0.0.0.0 outside



clear arp

clear xlate

sh xlate

sh conn


This is simple configuration, it should work both with static or nat.


Try this and then let me know

lalsingh Fri, 03/07/2008 - 07:07
User Badges:

I believe this was a response to someone else's issue.


I have an ASA with a number of site-to-site VPN connections. Inside clients can access the Internet fine. Site-to-site VPN connections are working fine. I want to use an ATT VPN client from inside to access a number of AT&T servers. (Ports 709 for CA server, ESP for IPsec auth, etc.) AT&T does not support UDP encapsulation or NAT-T.


I have tried doing a static translation for the inside PC that has the At&T client loaded and then allowing all IP traffic in to that public translated IP. (I have also allowed protocol 50 and 51.) The result is this PC is now unable to access anything outside. I remove the static and outside access is restored.

Actions

This Discussion