Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA - how to allow global NAT and AnyConnect VPN through border and external interfaces?

ISP provided redundant links that route our public IP space through a border network.  The 2 ISP handoffs go into a pair of 3750 switches, layer 2, and the switches uplink to an active/standby ASA pair.


The ASA outside interface, Gi 0/0, has an IP address in the border network.  The ASA inside interface, Gi 0/1, has an IP address in our public IP block.  Our internal private networks are subinterfaces, Gi 0/1.1 and Gi 0/1.2.  ISP routes our public IP space to the IP assigned to Gi 0/1.  The default route out the ASA points to the ISP border gateway VIP.  We have verified internet traffic is routing properly.


But what I am having trouble with is getting both a global NAT to allow all private nodes access to the internet, and AnyConnect VPN to respond on Gi0/1.  Your typical configuration examples have a public IP address on the outside, and private IP on the inside.  In our case we also have the "border" network to deal with.  Can anyone point me in the right direction?


For example:


Gi 0/0 - (border network - this is really a public IP but using private for example) security level 0

Gi 0/1 - (our public IP block - again this is really a public) security level 1

Gi 0/1.1 - (internal private network) security level 100


ISP border VIP is - ASA default route is to

ISP routes to

When setting up AnyConnect to listen on, it does not respond to requests over the internet.

I can put a system on on an internal switch behind the firewall, open firewall ports, and access it over the internet, confirming the routing is working properly.








CreatePlease to create content