ASA attached to a Cisco Router 2921

Unanswered Question

Hi guys,

Thanks for all the help thus far and I am nearing completion of my project.  I have one last piece to finish.

I hooked the asa to a wan port, got my routing set and I am havng this problem.

1. With NAT enabled on that wan port of the router, I can get to the internet no problem.  But I cannot get in via vpn to the lan. I can connect to the vpn, but I cannot get to the lan.

2. If if turn off nat on the router, I cannot get to the internet, but I can connect to the lan through the vpn tunnel from home.

Is there a way to pass incoming traffic not initiated from the inside to pass directly to the inside interface with being natted?

Our asa does nat on certain ports to inside IP's. It appreas that the router is natting thoses addresses on the router wan port.


Lan side of the router is our default gateway.  Currently I couldn't get traffic to work both wasy so the router is disconnected and the asa is back as being the edge device.

Any ideas guys?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 04/22/2010 - 07:21
User Badges:
  • Purple, 4500 points or more

You may have to post your VPN settings for your users for me to be able to try to help you. You'll need nat configured on the router if that's the last device out and nothing else is natting for you.

So, in your config you probably have something like:

global (outside) 1 interface

nat (inside) 1

Do you have a address pool set up for your users, and do you get an address from this pool? Can you post that portion of the config?

I'll also need to see your group-policy and tunnel-group for the user group that's having the problem.



John Blakley Thu, 04/22/2010 - 07:46
User Badges:
  • Purple, 4500 points or more

Why do you have your outside connections natting to inside? This line "global (inside) 1 interface"....have you tried taking it out?


This Discussion