Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5510 and NAT and VPN help!

I'm looking into configuring an asa5510 with a dsl modem connected to it's outside interface and a bunch of pc's connected to the internal interface through a 3560 switch.

the internal network will be a 172.16.x.x network with /24.

if I did not want any traffic going out to the internet, do I need to NAT anything?

I just want to setup a vpn server on the asa where I can have some folks remote into the LAN. what acl's and rule sets would I need?

for the folks who vpn in, I will have a vpn dhcp pool so they are in the same 172.16.x.x network.

i'm just very confused trying to get this to work.

once the above setup is successful, THEN,(as a bonus) I would like to see if I can configure the LAN pc's to get internet access.

however, there will be about 20 internal PC's and only one routable DSL IP address.

I tried to setup

nat (inside) 1

global (outside) 1

the above global command was unsuccessful because the above 70.x.x.x IP conflicts with the IP address of the outside interface.

my outside interface has the same 70.x.x.x address because that is what was assigned by DSL.

I thought the whole point of PAT was that all 20 pc's use the one DSL IP address to access the

Please help!


Re: ASA5510 and NAT and VPN help!

Hello vishal,

To answer your queries:

if I did not want any traffic going out to the internet, do I need to NAT anything?

Ans - No.. you dont need to.. If the traffic is not going to hit the inside interface of the PIX, and traverse through it to outside or any other interface, you dont need to NAT the traffic, since the PIX is not doing anything with that traffic....

2)what acl's and rule sets would I need?

Ans - Are you setting up a remote access VPN ? if so, you dont need to setup any rules on the outside or inside.. if there are any ACL's on the inside already, then you need to modify it accordingly... once you get an ip address from the pool, try to ping to any of the devices on the inside network.. if the ip pool is from a different subnet, then you gotta do some nat 0's...

3) internet issue:

Is the DSL router connecting directly to the ASA ? Have you configured the ASA for PPPoE or is the DSL modem working in bridge mode ? Is the IP address given by the ISP through DSL ? if so, you can use the commands

nat (inside) 1

global (outside) 1 interface

give a show xlate and see if you getting any translations.. Also check if the ISP gives you any default gateway when connecting on DSL on the ASA... if there is no default gateways given, internet might not work !!!

Hope this helps.. all the best.. rate replies if found useful..


CreatePlease to create content