I am trying to configure a remote access vpn on a PIX ASA (8.x code). The ASA also has a site to site vpn terminating to it. I've got the remote subnet that comes in over the site to site tunnel working so that it there is no NAT when talking to the inside subnet off the ASA. However, I'm also trying to bypass NAT for the remote access subnet (assigned ip's through a pool). Near as I can tell when I successfully connect via the Cisco VPN client, I cannot communicate with the inside subnet off the ASA. When I issue a ping from the vpn client to a host on the inside of the ASA, I can see the reply come back from the host but instead of bypassing NAT on the ASA, it gets translated to the outside interface address (as if it was the inside host initiating a connectiion to the outside world). I've never setup an ASA to do both site to site and remote access, so I've probably messed something up. Like I said, the site to site connection works fine, it's the remote access that fails to bypass NAT. I'm attaching the config. any help is appreciated.
no crypto map mcmap 22 ipsec-isakmp dynamic dyn1
crypto map mcmap 1 ipsec-isakmp dynamic dyn1
dynamic map entries should be on top in priority sequence.
Also, I don't think you need to set reverse-route because you're not running rip or ospf on the firewall so it doesn't really matter (although I dont think it's hurting anything).
And per the other poster below, change your vpn pool and the corresponding nonat acl entry - that's definitely not helping.
Why are you using addresses from the GigabitEthernet0/2 interface for the vpn pool?
And you should not use the nonat ACL for the L2L tunnel, create a new one that only defines the tunnel traffic and not the remote vpn pool.
thanks both for the replies. Ok, I changed the pool to a 192.168.250.0 network. But if I change the L2L tunnel nat, how do I also do a separate NAT 0 for the remote access tunnel. I can only put in one nat 0 statement. I need the L2L tunnel subnet (192.168.2.0/24) to access the inside without NAT, and I need the remote access tunnel subnet (192.168.250.0/24) to access the inside without NAT. How do I accomplish this? thanks again
I see a problem with nonat acl subnet,
access-list nonat extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0
inside interface has subnet of 255.255.248.0
Thanks, I corrected it but the remote access vpn is still not working. Looks like when the vpn client initiates a connection inside I see it happen in the logs, but when the response comes back its getting PAT'd to the interface address.
what I don't understand is how does the remote access vpn know not to NAT? With the L2L vpn, you define the "match" statement and tell it to use the nonat acl.
Your NAT related config should look like this:
access-list nonat extended permit ip 10.1.100.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list nonat extended permit ip 10.1.96.0 255.255.248.0 192.168.2.0 255.255.255.0
access-list l2l_vpn extended permit ip 10.1.96.0 255.255.248.0 192.168.2.0 255.255.255.0
crypto map mcmap 21 match address l2l_vpn
no crypto map mcmap 21 match address nonat
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.96.0 255.255.248.0
Do not forget to issue "clear xlate" after any change to NAT config.
Thank you for your assistance. It is now working fine. My mistake apparently was not creating a separate acl for the L2L match statement in the crypto map.