Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with NAT in ASA5505

Hi everybody ...

Please your help and suggestions in this case.

I have an Internet connection from an ISP, they gave me the fiber optic connection of 3Mbps.

The ISP gave us the following information:

ip address in fiber optics: / 30.  We used the and the ISP site has

internet public addresse:  190.X.Y.Z / 29.

In the JPG attached you can see the schema.

The interfases configuration:

interface Vlan1
  nameif inside
  security-level 100
  ip address
interface Vlan2
  nameif outside
  security-level 0
  ip address
interface Ethernet0/0
  switchport access vlan 2
interface Ethernet0/1

1-.     I had configured the global and nat commands for Internet access of inside network:

global (outside) 1 190.X.Y.89 netmask
nat (inside) 1

2-.     I configured and tested the static command with internal server for internet access.

static (inside,outside) 190.X.Y.90 netmask

with some access-list to permit access to some services.

This two configurations worked good.

But I need to assign an public (legal) internet address to the firewall because we need VPN remote access and VPN L2L with other office.

I don't know how to configure the firewall for this.

I tried making an static with firewall inside interface and opening the access, with "debug icmp trace" I could see the test icmp packets arrive to inside interface but the inside interface doesn't answer.

I just need to configure the firewall for VPN access...   Any suggestions ???

Thanks in advance ...

Cisco Employee

Re: Problems with NAT in ASA5505

You would need to configure the static 1:1 translation for the ASA outside ip address ( to one of your public ip address on the router in front of the ASA for VPN to work.

You can only terminate VPN on the outside interface of your ASA as outside interface is where the default gateway is, and since your outside interface is assigned private ip address, you would  need to configure static translation on the router in front of the ASA for the ASA outside interface IP.

Hope that helps.

New Member

Re: Problems with NAT in ASA5505

Thanks halijenn ...

But how do I make the static with outside ?,  the IP is in outside interface, but the internet public address ?

Would you show the possible command ?


Cisco Employee

Re: Problems with NAT in ASA5505

The static NAT translation needs to be done on the router, not on ASA.

So on the router, you should configure the following:

ip nat inside source static

Then, "ip nat inside" on the router interface connected to the ASA outside interface, and "ip nat outside" on the router interface connected to the Internet.

New Member

Re: Problems with NAT in ASA5505

Ok ...

But, we don't have the router, the ISP gave us the ethernet connection with private ip address and the public addresses.

The schema attached has an error, the router icon is the firewall.  The firewall is connected directly to ISP private ip address, we don't have the router.

any suggestion ... ?

Cisco Employee

Re: Problems with NAT in ASA5505

Unfortunately there is nothing much you can do if that is the case. ASA does not support virtual IP for VPN termination. Only IOS router supports that as you can configure loopback interface for VPN termination, not on ASA.

VPN on ASA needs to be terminated on the interface connected to the Internet, and in your case, it's the outside interface. The only way is to ask your ISP to change the private ip subnet link between the ASA outside interface and the ISP to public ip subnet so it's routable.