03-05-2008 03:19 PM
I have an ASA 5510 with multiple site-to-site VPNs. I have these global and NAT statements
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
This is working fine as is.
I need to load an ATT VPN client on an inside PC to access a number of servers on the ATT network. They have given me a list of ports and servers that this client need to access. See my config (access-list 110)in the attached file -asaconfig.
Seems like in addition to the access list I need a static translation for the PC running the VPN client and these ports should be open to that translated address. As soon as I add the static translation for the inside PC (192.168.1.32 to 64.185.19.13) this inside PC stops being able to access the internet. I have tried adding a second global pool -
global (outside) 102 64.185.19.13-64.185.19.14 and a nat(inside) 102 192.168.1.32 255.255.255.255 but this still does not allow outside access.
Am I wrong in thinking I need a static translation and why does Internet access cease after the translation?
03-06-2008 01:25 AM
hi
when u configured the static natting for the pc then pc will be able to access the internal fron inside to outside . but it need outside to inside access through access-list.
03-06-2008 02:32 PM
Thanks for the reply.
I tried that. I did the static nat -
static(inside,outside) 64.185.19.13 192.168.1.32 netmask 255.255.255.255
and
access-list 110 extended permit ip any host 64.185.19.13 (for testing purposes.)
This is an existing outside to inside access list. Whith these two commands the PC with internal IP 192.168.1.32 is unable to access the internet.
03-06-2008 04:02 PM
dont mix up the things. Earlier you want to access inside to dmz and vice versa.
Just do it step by step.
first verify that you are your pix has defualt route and ping the ISP from pix. then from client ping pix inside interface.
then configure static no need to configure access-list for Internet access.
Give the client with dns address of ISP if you have no local dns. try with ISP provided DNS on client pc.
if not work then do with nat
nat (inside) 1 0 0
global(outside) 1 interface
ip route 0.0.0.0 0.0.0.0 outside
clear arp
clear xlate
sh xlate
sh conn
This is simple configuration, it should work both with static or nat.
Try this and then let me know
03-07-2008 07:07 AM
I believe this was a response to someone else's issue.
I have an ASA with a number of site-to-site VPN connections. Inside clients can access the Internet fine. Site-to-site VPN connections are working fine. I want to use an ATT VPN client from inside to access a number of AT&T servers. (Ports 709 for CA server, ESP for IPsec auth, etc.) AT&T does not support UDP encapsulation or NAT-T.
I have tried doing a static translation for the inside PC that has the At&T client loaded and then allowing all IP traffic in to that public translated IP. (I have also allowed protocol 50 and 51.) The result is this PC is now unable to access anything outside. I remove the static and outside access is restored.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide