Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Route for Remote VPN on ASA 5510 8.4(2)

I have configured a remote access VPN on my Firewall ASA5510. Everything worked fine and I can successfully connect through the VPN. The problem is I cannot ping or connect to any of my internal network resources. I tried to add a new NAT route from outside to my internal servers using the defined pool but due to a new ASA version there are many changed I see in the NAT routes and I cannot understand how to resolve this problem.

Could someone help me in this please? Its urgent.

  • Firewalling
37 REPLIES

NAT Route for Remote VPN on ASA 5510 8.4(2)

please post your configuration.

New Member

Re: NAT Route for Remote VPN on ASA 5510 8.4(2)

added the NAT route using the below video, but still I cannot connect to internal resources:

http://www.youtube.com/watch?v=TF59-Igr9Dc

Cisco Employee

NAT Route for Remote VPN on ASA 5510 8.4(2)

Hi,

Main issue is that we dont know what NAT configuration is already in place. What you can do is the following and let us know if it works.

Object network INSIDE-LAN

subnet x.x.x.x x.x.x.x

Object network VPN-POOL

subnet y.y.y.y y.y.y.y

Nat (inside,outside) 1 source static INSIDE-LAN INSIDE-LAN destination static VPN-POOL VPN-POOL

Note the number 1, it will put this NAT statement first on the NAT list to avoid any other NAT to mess with this specific traffic.

Try it out and let us know.

Mike.

Mike
New Member

NAT Route for Remote VPN on ASA 5510 8.4(2)

Dear Maykol,

This is the NAT which I have created earlier:

nat (inside,any) source static any any destination static QIB-VPN QIB-VPN

New Member

NAT Route for Remote VPN on ASA 5510 8.4(2)

When I run the Packet tracer on this specific NAT route the packet drops and it recommends to create a access rule in the access list table.

Cisco Employee

NAT Route for Remote VPN on ASA 5510 8.4(2)

Hi Muhammad,

Can you change it to be outside instead of any? Also, can you make sure that it is first on the list of nats? If possible paste your Packet tracer without the IPs once you complete these changes...

Mike

Mike
New Member

NAT Route for Remote VPN on ASA 5510 8.4(2)

I changed the rule from any to outside. Packet tracer is giving the below results:

1UN-NATfalse
Type - UN-NAT
Subtype - static
Action - ALLOW
Show rule in NAT Rules table.
Config
nat (inside,Outside) source static any any destination static QIB-VPN QIB-VPN
Info
NAT divert to egress interface inside
Untranslate 192.168.10.2/0 to 192.168.10.2/0

2ACCESS-LISTtrue
Type - ACCESS-LIST
Action - DROP
Show rule in Access Rules table.
Config
Implicit Rule

100RESULT - The packet is dropped.true

Packet Dropped

Info: (acl-drop) Flow is denied by configuration rule.

New Member

NAT Route for Remote VPN on ASA 5510 8.4(2)

Also the NAT rule is number 1 in the list.

Cisco Employee

NAT Route for Remote VPN on ASA 5510 8.4(2)

Hi,

If you go to "Show rule in access rules" does it take you to the NAT section or the ACL section? Is the inside sec level 100 and outside less than 100 ?

Mike

Mike
2168
Views
5
Helpful
37
Replies
This widget could not be displayed.