Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect SSL VPN not working after nat at ios router.

Hi All,

I have the below setup as per below:

Scenario Question 1)

Internal network(10.x.3.209 /26) - (10.x.3.192 /26)FW(10.x.3.33 /27) - (Inside: 10.x.3.36 /27) ASA (Outside: 10.x.3.148 /28)- (10.x.3.145)FW - INTERNET RTR (Static NAT)(60.x.x.61) - ISP - Windows Anyconnect Client

Static NAT at RTR : 60.x.x.61 ==> 10.x.3.148; FW has allow TCP and UDP 443.

My AnyConnect could not connect to my 60.x.x.61


Scenario Question 2)

But if my Anyconnect Client is at the ASA Outside segment, it is able to get connected and get a VPN pool addr in the Inside network (eg: 10.x.3.37 /27)

Internal network - FW - (Inside) ASA (Outside)- Windows Anyconnect Client

However, 10.x.3.37 could not ping to 10.x.3.209/26. I could ping to 10.x.3.209/26 from the ASA Inside IP 10.x.3.36/27


Can anyone please advise whether my VPN design above is workable? and what are the possible configuration that I should implement to make both scenario questions work? Thanks.


Hi,basically you can have two


basically you can have two scenarios.

1] ASA behind router and router connected to ISP

2] ASA connected directly to ISP


Regarding your NAT problems you didn't mention what type of router you have connected to ISP. Is it Cisco or another vendor? Can you provide configuraion of your router?

Next, because you are able to connect to ASA from its outside network so problem will be probably on router side. As you mentioned in subject probably you have NAT problem. Whe you do NAT on touter so NATed PUBLIC IP address is ASA outside interface? Or do you perform PAT?

If possible please post configuration of your ASA box.