Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inside-outside NAT bypassing EZVPN help

Still working on trying to get CUma working on an ASA.  From reading through multiple documents I found the setup confusing, and not much help from TAC either.  What I get from Cisco Tac is the Cuma server sees the mapped IP of the translation as the client, yet the ASA isn't configured to source the IP of the translation, that requires a whole different set up. 

So, working off the one doc I found, here is what needs to be done for Cuma to work with the ASA as far as what it see's as the client IP.

p 2   Translate all client IP addresses to a single source IP address for routing through the firewall to Cisco Unified Mobility Advantage:
global (<inside interface name> <nat_id> <shared ip address to which all client ip addresses will be translated>)  netmask <subnet mask> 
nat (<outside interface name>) 1 0 0 outside 

Note that because the IP address that all clients share is the same as the inside interface, you can use interface instead of specifying the IP address.


global (inside) 1 interface 
nat (outside) 1 outside

What I gather is, when a client connects to Cuma, the ASA translates the incoming IP to the inside IP of the ASA, and that is the IP seen by Cuma. Cuma responds back to the Client via the IP of the ASA, and that is the IP that now gets registered with the Callmanager.

Simple enough, but when applied it now breaks all EZVPN connections into the ASA.  I need to know how to exempt the VPN from the above NAT configuration.  

Do I nonat the internal networks, or do I now need to filter based on their public IP's and what happens when the IP changes since they are all Dynamic?

  • Firewalling
This widget could not be displayed.