Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Basic NAT from outside remote-access IPSec VPN to inside

This is a simple problem, yet I cannot get this to work properly and I've even had a Cisco engineer from TAC set-this up... and it literally broke my inside network.  I have a VPN range of addresses..x.x.x.x on the Outside that needs access to a server on the Inside at y.y.y.y.  HTTPS/443 connectivity.  I need to NAT my VPN subnet/pool in order to talk to the inside host, as that host will not accept traffic from my VPN subnet, but obviously, will accept traffic from Inside my private network.

The Cisco tech entered the following static NAT statement to "fix" the problem -

nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y

For whatever reason, whenever this is configured on my ASA 5550 v8.3(2)25 the Inside interface starts proxy arping and assigns all IP addresses on my private network with the MAC address of the Inside interface.  At that point, nothing talks.

The y.y.y.y is on a remote, routed network within my private, corporate MPLS network.  My Inside private network (Inside-network shown in the static NAT above) is x.x.x.x.  Not sure why this happens, but it kills my entire network and I have to jump through hoops to quiesce the network and get everything back to normal.

I've tried to Dynamic-PAT/hide the VPN range behind the Inside interface through ASDM and that seems to do nothing.

The NAT statement above will break my network.  Anyone have any suggestions on how to NAT this connection without killing my Inside network?  Or, on how to properly hide my VPN subnet/pool behind my Inside interface and back to the VPN subnet/pool.  Thanks.

Cisco Employee

Re: Basic NAT from outside remote-access IPSec VPN to inside

Hi David,

It's true that you need a NAT rule similar to what you mentioned, but in 8.4(2) or higher it should include the 'no-proxy-arp' and 'route-lookup' keywords at the end:

nat (outside,inside) source static VPN Inside-Network destination static Host-y.y.y.y Host-y.y.y.y no-proxy-arp route-lookup

Without the keywords, the ASA will definitely proxy ARP on the inside interface for the Inside-Network object.

Also, I don't know what the Inside-Network object actually contains, so make sure this is the translated address or pool that you want the VPN subnet to use.


EDIT: The line wrap makes the config look a bit confusing, but the keywords in bold are all part of the same NAT command.