ASA 5510 VPN problem

Unanswered Question
thotsaphon Wed, 06/18/2008 - 08:18
User Badges:
  • Gold, 750 points or more

Hi,

Could you please remove a "nat (inside) 0 0.0.0.0 0.0.0.0" command and put "sysopt connection permit-ipsec" for testing?


HTH

Thot

nomair_83 Thu, 06/19/2008 - 02:28
User Badges:
  • Bronze, 100 points or more

Hi,


In your nat0 acl..just swap the networks .(your vpn pool address should be destination)

and call that access-list in nat.

check sysopt and nat-t as well.

and remove nat (inside) 0 0.0.0.0 0.0.0.0


Regards,


Farrukh Haroon Thu, 06/19/2008 - 03:29
User Badges:
  • Red, 2250 points or more

There is no need to remove nat (inside) 0 0.0.0.0 0.0.0.0 if the proper nat 0 ACL is there. NAT Exemption (nat 0 ACL) has the highest priority and will be consider first.


sysopt is enabled by default (but worth the check).


He is not using the nat ACL you refer to (nat_0), this one is being used which seems correct:


access-list inside_nat0_inbound extended permit ip any 192.168.50.0 255.255.255.192


nat (inside) 0 access-list inside_nat0_inbound


Regards


Farrukh



nomair_83 Thu, 06/19/2008 - 04:44
User Badges:
  • Bronze, 100 points or more

Can u mention some lan subnet in your no nat ACL instead of "any".


Just try If it works because "any" should also work.

Regards,

Actions

This Discussion