Problems with NAT in ASA5505

Unanswered Question
May 7th, 2010
User Badges:

Hi everybody ...

Please your help and suggestions in this case.

I have an Internet connection from an ISP, they gave me the fiber optic connection of 3Mbps.

The ISP gave us the following information:

ip address in fiber optics: / 30.  We used the and the ISP site has

internet public addresse:  190.X.Y.Z / 29.

In the JPG attached you can see the schema.

The interfases configuration:

interface Vlan1
  nameif inside
  security-level 100
  ip address
interface Vlan2
  nameif outside
  security-level 0
  ip address
interface Ethernet0/0
  switchport access vlan 2
interface Ethernet0/1

1-.     I had configured the global and nat commands for Internet access of inside network:

global (outside) 1 190.X.Y.89 netmask
nat (inside) 1

2-.     I configured and tested the static command with internal server for internet access.

static (inside,outside) 190.X.Y.90 netmask

with some access-list to permit access to some services.

This two configurations worked good.

But I need to assign an public (legal) internet address to the firewall because we need VPN remote access and VPN L2L with other office.

I don't know how to configure the firewall for this.

I tried making an static with firewall inside interface and opening the access, with "debug icmp trace" I could see the test icmp packets arrive to inside interface but the inside interface doesn't answer.

I just need to configure the firewall for VPN access...   Any suggestions ???

Thanks in advance ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Fri, 05/07/2010 - 17:17
User Badges:
  • Cisco Employee,

You would need to configure the static 1:1 translation for the ASA outside ip address ( to one of your public ip address on the router in front of the ASA for VPN to work.

You can only terminate VPN on the outside interface of your ASA as outside interface is where the default gateway is, and since your outside interface is assigned private ip address, you would  need to configure static translation on the router in front of the ASA for the ASA outside interface IP.

Hope that helps.

guigonza Fri, 05/07/2010 - 17:48
User Badges:

Thanks halijenn ...

But how do I make the static with outside ?,  the IP is in outside interface, but the internet public address ?

Would you show the possible command ?


Jennifer Halim Fri, 05/07/2010 - 18:40
User Badges:
  • Cisco Employee,

The static NAT translation needs to be done on the router, not on ASA.

So on the router, you should configure the following:

ip nat inside source static

Then, "ip nat inside" on the router interface connected to the ASA outside interface, and "ip nat outside" on the router interface connected to the Internet.

guigonza Fri, 05/07/2010 - 18:45
User Badges:

Ok ...

But, we don't have the router, the ISP gave us the ethernet connection with private ip address and the public addresses.

The schema attached has an error, the router icon is the firewall.  The firewall is connected directly to ISP private ip address, we don't have the router.

any suggestion ... ?

Jennifer Halim Fri, 05/07/2010 - 18:48
User Badges:
  • Cisco Employee,

Unfortunately there is nothing much you can do if that is the case. ASA does not support virtual IP for VPN termination. Only IOS router supports that as you can configure loopback interface for VPN termination, not on ASA.

VPN on ASA needs to be terminated on the interface connected to the Internet, and in your case, it's the outside interface. The only way is to ask your ISP to change the private ip subnet link between the ASA outside interface and the ISP to public ip subnet so it's routable.


This Discussion