Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client on the inside of ASA

I have an ASA 5510 with multiple site-to-site VPNs. I have these global and NAT statements

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101

This is working fine as is.

I need to load an ATT VPN client on an inside PC to access a number of servers on the ATT network. They have given me a list of ports and servers that this client need to access. See my config (access-list 110)in the attached file -asaconfig.

Seems like in addition to the access list I need a static translation for the PC running the VPN client and these ports should be open to that translated address. As soon as I add the static translation for the inside PC ( to this inside PC stops being able to access the internet. I have tried adding a second global pool -

global (outside) 102 and a nat(inside) 102 but this still does not allow outside access.

Am I wrong in thinking I need a static translation and why does Internet access cease after the translation?

New Member

Re: VPN Client on the inside of ASA


when u configured the static natting for the pc then pc will be able to access the internal fron inside to outside . but it need outside to inside access through access-list.

New Member

Re: VPN Client on the inside of ASA

Thanks for the reply.

I tried that. I did the static nat -

static(inside,outside) netmask


access-list 110 extended permit ip any host (for testing purposes.)

This is an existing outside to inside access list. Whith these two commands the PC with internal IP is unable to access the internet.

New Member

Re: VPN Client on the inside of ASA

dont mix up the things. Earlier you want to access inside to dmz and vice versa.

Just do it step by step.

first verify that you are your pix has defualt route and ping the ISP from pix. then from client ping pix inside interface.

then configure static no need to configure access-list for Internet access.

Give the client with dns address of ISP if you have no local dns. try with ISP provided DNS on client pc.

if not work then do with nat

nat (inside) 1 0 0

global(outside) 1 interface

ip route outside

clear arp

clear xlate

sh xlate

sh conn

This is simple configuration, it should work both with static or nat.

Try this and then let me know

New Member

Re: VPN Client on the inside of ASA

I believe this was a response to someone else's issue.

I have an ASA with a number of site-to-site VPN connections. Inside clients can access the Internet fine. Site-to-site VPN connections are working fine. I want to use an ATT VPN client from inside to access a number of AT&T servers. (Ports 709 for CA server, ESP for IPsec auth, etc.) AT&T does not support UDP encapsulation or NAT-T.

I have tried doing a static translation for the inside PC that has the At&T client loaded and then allowing all IP traffic in to that public translated IP. (I have also allowed protocol 50 and 51.) The result is this PC is now unable to access anything outside. I remove the static and outside access is restored.