Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
4
Replies

VPN Client on the inside of ASA

lalsingh
Level 1
Level 1

‎03-05-2008 03:19 PM

I have an ASA 5510 with multiple site-to-site VPNs. I have these global and NAT statements

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

This is working fine as is.

I need to load an ATT VPN client on an inside PC to access a number of servers on the ATT network. They have given me a list of ports and servers that this client need to access. See my config (access-list 110)in the attached file -asaconfig.

Seems like in addition to the access list I need a static translation for the PC running the VPN client and these ports should be open to that translated address. As soon as I add the static translation for the inside PC (192.168.1.32 to 64.185.19.13) this inside PC stops being able to access the internet. I have tried adding a second global pool -

global (outside) 102 64.185.19.13-64.185.19.14 and a nat(inside) 102 192.168.1.32 255.255.255.255 but this still does not allow outside access.

Am I wrong in thinking I need a static translation and why does Internet access cease after the translation?

Labels:
Preview file
11 KB
0 Helpful
4 Replies 4

onlyabhishek007
Level 1
Level 1

‎03-06-2008 01:25 AM

hi

when u configured the static natting for the pc then pc will be able to access the internal fron inside to outside . but it need outside to inside access through access-list.

0 Helpful

lalsingh
Level 1
Level 1
In response to onlyabhishek007

‎03-06-2008 02:32 PM

Thanks for the reply.

I tried that. I did the static nat -

static(inside,outside) 64.185.19.13 192.168.1.32 netmask 255.255.255.255

and

access-list 110 extended permit ip any host 64.185.19.13 (for testing purposes.)

This is an existing outside to inside access list. Whith these two commands the PC with internal IP 192.168.1.32 is unable to access the internet.

0 Helpful

wasiimcisco
Level 1
Level 1
In response to lalsingh

‎03-06-2008 04:02 PM

dont mix up the things. Earlier you want to access inside to dmz and vice versa.

Just do it step by step.

first verify that you are your pix has defualt route and ping the ISP from pix. then from client ping pix inside interface.

then configure static no need to configure access-list for Internet access.

Give the client with dns address of ISP if you have no local dns. try with ISP provided DNS on client pc.

if not work then do with nat

nat (inside) 1 0 0

global(outside) 1 interface

ip route 0.0.0.0 0.0.0.0 outside

clear arp

clear xlate

sh xlate

sh conn

This is simple configuration, it should work both with static or nat.

Try this and then let me know

0 Helpful

lalsingh
Level 1
Level 1
In response to wasiimcisco

‎03-07-2008 07:07 AM

I believe this was a response to someone else's issue.

I have an ASA with a number of site-to-site VPN connections. Inside clients can access the Internet fine. Site-to-site VPN connections are working fine. I want to use an ATT VPN client from inside to access a number of AT&T servers. (Ports 709 for CA server, ESP for IPsec auth, etc.) AT&T does not support UDP encapsulation or NAT-T.

I have tried doing a static translation for the inside PC that has the At&T client loaded and then allowing all IP traffic in to that public translated IP. (I have also allowed protocol 50 and 51.) The result is this PC is now unable to access anything outside. I remove the static and outside access is restored.

0 Helpful
Customers Also Viewed These Support Documents