ASA 5510 VPN problem

Unanswered Question
thotsaphon Wed, 06/18/2008 - 08:18
User Badges:
  • Gold, 750 points or more


Could you please remove a "nat (inside) 0" command and put "sysopt connection permit-ipsec" for testing?



nomair_83 Thu, 06/19/2008 - 02:28
User Badges:
  • Bronze, 100 points or more


In your nat0 acl..just swap the networks .(your vpn pool address should be destination)

and call that access-list in nat.

check sysopt and nat-t as well.

and remove nat (inside) 0


Farrukh Haroon Thu, 06/19/2008 - 03:29
User Badges:
  • Red, 2250 points or more

There is no need to remove nat (inside) 0 if the proper nat 0 ACL is there. NAT Exemption (nat 0 ACL) has the highest priority and will be consider first.

sysopt is enabled by default (but worth the check).

He is not using the nat ACL you refer to (nat_0), this one is being used which seems correct:

access-list inside_nat0_inbound extended permit ip any

nat (inside) 0 access-list inside_nat0_inbound



nomair_83 Thu, 06/19/2008 - 04:44
User Badges:
  • Bronze, 100 points or more

Can u mention some lan subnet in your no nat ACL instead of "any".

Just try If it works because "any" should also work.



This Discussion