Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problems with VPN and NAT in ASA5520 8.3

Hi there!,

I am trying to configure an ASA 5520 with 8.3 software and i have to configure a VPN IPSec site-to-site. Trying to capture the packets i see coming the ingress interface but not coming out. So the VPN is not coming up and NAT seems not to work.

This is the configuration i have (without IPs):

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.122 

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address y.y.y.y 
object network NETWORK_OBJ_x.x.x.x
 subnet x.x.x.0
object network kpn1 
 host d.d.d.d
object network kpn2 
 host a.a.a.a
object network Peer_KPN 
 host p.p.p.p
object-group network KPN
 description Lan remota KPN
 network-object object kpn1
 network-object object kpn2
object-group service DM_INLINE_UDP_1 udp
 port-object eq isakmp
 port-object eq secureid-udp
access-list outside_1_cryptomap extended permit ip object NETWORK_OBJ_x.x.x.x object-group KPN 
access-list outside_access_in extended permit udp object Peer_KPN any object-group DM_INLINE_UDP_1 access-list inside_access_in extended permit ip any any



nat (inside,outside) source dynamic NETWORK_OBJ_x.x.x.x interface
nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN
access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside x.x.x.121 1



crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer p.p.p.p 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400



tunnel-group p.p.p.p  type ipsec-l2l
tunnel-group p.p.p.p ipsec-attributes
 pre-shared-key *****

I hope this will help.

Everyone's tags (5)
Cisco Employee

Re: Problems with VPN and NAT in ASA5520 8.3

The following static NAT should be changed:


nat (inside,outside) source static NETWORK_OBJ_x.x.x.x  destination static KPN

nat (inside,outside) source static NETWORK_OBJ_x.x.x.x NETWORK_OBJ_x.x.x.x destination static KPN KPN

Then a "clear xlate" after the changes above.

Assuming that you are trying to trigger traffic from x.x.x.0/24 network towards either d.d.d.d or a.a.a.a

Hope that helps.

CreatePlease to create content