remote VPN issue

Unanswered Question
Sep 23rd, 2009
User Badges:

We had a remote VPN connection issue. The remote users behind ASA need to access servers behind VPN concentrator. Right now VPN session could be established. But the remote users with the private IP address like 192.168.x.x are not able to get access to servers. But they could if remote workstation was assigned public IP address directly. It looked like the issue was from NAT of ASA. Could you give me some specified advice where I should check? Thanks a lot!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
auraza Wed, 09/23/2009 - 09:57
User Badges:
  • Cisco Employee,

Make sure you are exempting VPN traffic from being NAT'd.

If the network behind the ASA is, and the network behind the concentrator is, then you first need to create an acl:

access-list nonat permit ip

then reference this is a nat exempt statement

nat (inside) 0 access-list nonat


PS. if you found this response helpful, please rate it.

HWangLoyalty_2 Wed, 09/23/2009 - 10:06
User Badges:

Thanks for your quick response. I just forget one thing about my situation. When the remote users come in, it will be assigned another IP address by VPN concentrator, like 192.168.2.X different with the current one. IS the firewall rule you suggested still used? Thx

auraza Wed, 09/23/2009 - 10:12
User Badges:
  • Cisco Employee,

The problem you are experiencing is on the ASA, and that is where you had to make the change. The concentrator will automatically handle NAT, etc issues.


This Discussion