I am trying to migrate to a ASA5505 from our pix.
Most of our network uses PAT on our outside interface but I have a small pool of address which I NAT to on the inside, but when I do this they are unable to VPN out to remote sites.
This worked great on the Pix but not on the ASA. I can see port udp 500 coming back to the client but port udp 4500 disappears on its return journey between the two ASA interfaces.
Do you check sysopt?
This is not a connection to the ASA. But a connection through it whilst using a NAT'd IP.
I have assigned a NAT to a PC on the inside of the ASA but when the PC opens a cisco vpn client and tries to connect to a remote cisco firewall the user is unable to connect, but when he uses a PAT'd address it works fine.
The PC is 10.2.200.80
The old Pix line used to be
static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240
for sixteen addresses.
I have just got it to work by using the following two lines
global (outside) 2 10.2.254.80
nat (inside) 2 10.2.200.80 255.255.255.255
I can't believe the above (times sixteen) is the only way to get it working is 32 lines instead of just using 1 line.
Your configuration (with global) is a dynamic NAT so it's unidirectional while static is bidirectional.
Did you change something in the client configuration ?
what are the client parameters ?
I meant that this NAT configuration could determine the behavior of the server side by usinf NAT-transversal or not
when you added this line to ASA it didn't work? 'static (inside,outside) 10.2.254.80 10.2.200.80 netmask 255.255.255.240 '
It did work. I checked whatsmyip to confirm it was translating ok.
I can see udp 500 coming back to the client but udp 4500 only gets back as far as the outside interface but never exits the internal interface to reach the client.
So the NAT is definately working but it just does not pass back the udp 4500.