Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN - NAT help needed

This is what I have.

Internal Network:

Outside patted interface:

ASA5520 setup for VPN.

ASA5520 gives out IP

Split-tunneling is enabled and tunnels

In the split-tunnel list I also add a public IP

I connect with the VPN and get IP which is correct.

I see that VPN has created routes for me: / 24 via / 16 via / 24 via

My objective is to access from the VPN as if it is comming from the patted ( outside interface on the firewall.

Using the VPN wizard I get an exemption for any traffic to

Keep in mind all traffic uses pat for internet access.

I try accessing on port 80 and get this.

6|Dec 19 2007|14:25:08|106015|||Deny TCP (no connection) from to flags ACK on interface outside

6|Dec 19 2007|14:25:06|302013|||Built inbound TCP connection 224060 for outside: ( to outside: ( (user)

Is there anyway I can fix this with out disabling split-tunneling?

Do I need some natting somewherE?

  • Other Security Subjects

Re: VPN - NAT help needed

So what you are saying is that you have something like this...

static (inside,outside) 192.168.x.x netmask

If so then you will need to do something like this to your nat exemption acl...

access-list nat0 extended deny ip host 192.168.x.x

access-list nat0 extended permit ip

The problem is the traffic from the server to the vpn client is exempted from nat, adding the deny statement will allow it to be natted.