Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASDM through IPsec-Tunnel with Nat?

Hello together,

perhaps somebody had the same problem and found a way to solve it.

We access our customer-networks over IPsec-Tunnel with D-Nat:

Our Site is hidden behind a single Address (Service-Pat), the remote sites are accessed over /27 networks,

which host-addresses (D-Nat1, ...) are translated to the servers (Server1,...) we need to access.

        Nat on customer ASA (8.3):

nat (any,any) source static Service-Pat Service-PAT destination static D-NAT1 Server1 unidirectional

Unfortunately, i can´t access the ASA on the customer site using this NAT.

Regardless on which address the NAT is used (ASA Inteface-Adresses, Loopback) it´s not possible to use CLI or ASDM.

The Log show´s only the normal NAT-Translation like when i access one of the Servers behind the ASA, no error - but the Session is refused.

It´s only possible to access the firewall from an inside host.

Is there a way to access to ASDM/CLI using the destination nat?


Re: ASDM through IPsec-Tunnel with Nat?

The remote end needs "management access inside" configured, if you want to access from over the VPN.

Sent from Cisco Technical Support iPad App

New Member

ASDM through IPsec-Tunnel with Nat?

Hi Andrew,

thanks for your answer.

The "management-access inside" statement is used.

Perhaps the statement only works without nat?

ASDM through IPsec-Tunnel with Nat?

Check you are not double natting it, so once you have performed the desintation nat - the resulting new IP must be part of the no-nat before it is encrypted.

New Member

ASDM through IPsec-Tunnel with Nat?

Hello Andrew,

I´m not sure what you mean.

There are no AccessList that could block the traffic. Log shows only the Tearup/Teardown.


Transit-Net :

D-NAT2      :

ASA-Local :

access-list outside_1_cryptomap extended permit ip object Transit-Net object Service-PAT

access-list outside_1_cryptomap extended permit ip object Service-PAT any

access-list outside_1_cryptomap extended permit ip object Service-PAT interface inside

nat (any,any) source static Service-PAT Service-Pat destination static D-NAT2 ASA-Local unidirectional

management-access inside

ssh inside

telnet inside

Besides the destination nat, there is only the default Pat to the outside

nat (any,outside) source dynamic any interface

After the NAT is done, the Asa should only see a packet from to its local interface.

ACL and management rules doesnt deny this.

Could you please explain your comment about the double natting and no-nat?

Is there a mistake in the NAT statements?

Thanks for your help!

ASDM through IPsec-Tunnel with Nat?

If the remote end is say but I need to nat that to and use that to connect to, then it gets encrypted, then

1) I need to nat to

2) I need to define the interesting VPN traffic destination as

3) as I have general NAT in place, and the VPN endpoint is out the outside interface, I need to make sure that I do not nat it again, before it leaves the interface for encryption so "access-list no-nat permit x.x.x.x x.x.x.x host"

4) as a desitnation must no

Rememer the flow is NAT>Route>Encrypt.  Use your favorite search engine and look for "identity nat" and "double nat"

New Member

ASDM through IPsec-Tunnel with Nat?

I´m sure the Nat is ok. It works fine when the sessions are build up through the ASA, the connection  into the ASA doesn´t work with any tested nat statement.

I was wrong when i said that the log only show´s the normal NAT Sessions - the Teardown shows allways "flow terminated by tcp intercept"