ASA 5510 VPN problem

Unanswered Question
thotsaphon Wed, 06/18/2008 - 08:18

Hi,

Could you please remove a "nat (inside) 0 0.0.0.0 0.0.0.0" command and put "sysopt connection permit-ipsec" for testing?

HTH

Thot

nomair_83 Thu, 06/19/2008 - 02:28

Hi,

In your nat0 acl..just swap the networks .(your vpn pool address should be destination)

and call that access-list in nat.

check sysopt and nat-t as well.

and remove nat (inside) 0 0.0.0.0 0.0.0.0

Regards,

Farrukh Haroon Thu, 06/19/2008 - 03:29

There is no need to remove nat (inside) 0 0.0.0.0 0.0.0.0 if the proper nat 0 ACL is there. NAT Exemption (nat 0 ACL) has the highest priority and will be consider first.

sysopt is enabled by default (but worth the check).

He is not using the nat ACL you refer to (nat_0), this one is being used which seems correct:

access-list inside_nat0_inbound extended permit ip any 192.168.50.0 255.255.255.192

nat (inside) 0 access-list inside_nat0_inbound

Regards

Farrukh

nomair_83 Thu, 06/19/2008 - 04:44

Can u mention some lan subnet in your no nat ACL instead of "any".

Just try If it works because "any" should also work.

Regards,

Actions

This Discussion