Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 and some strange configuration


I'm trying to set up a ASA 5505 with some kind of strange nat.

This is the situation right now:

net inside------------------------------------[ASA 5505]------------------------------------------[ISP router]

(                        |        75.XXX.XXX.61            75.XXX.XXX.57



                                                                 [cisco device]-------------------------net vpn


Between the cisco device and my asa there's a vpn and it's working great.

What i wanted to do was to nat everything coming from the net vpn ( to the inside interface on the ASA.

I did it and it works.

But what i cannot make it to work, is that from my net ( i cannot ping any host on the nt vpn  (

On the config i did so:

access-list nonat extended permit ip
access-list outside_crypto_map_20 extended permit ip

global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
nat (outside) 2 outside

Thanks for the help.


Everyone's tags (2)
New Member

Re: ASA 5505 and some strange configuration

It seems that you are using OUTSIDE NAT to PA all the traffic coming from client network 192.168.200.x to inside interface IP.

Whenever any host from 192.168.200.x network initiates connx to inside network an XLATE entry is created in the firewall and client can access anything on the inside network since firewall is a stateful device.

But if someone tries to initiate connx from inside network to client n/w 192.168.200.x .It cannot find the ip based on port based translations so it will work only one way!



New Member

Re: ASA 5505 and some strange configuration

Thank you...that was what i was thinking too.

But if something is coming from the inside net, shoudn't it match the nat 0 access-list?

And then don't apply nat on those packets?


CreatePlease login to create content