Hi,

Thank you for your reply!

You should be right.

In the meantime I started to compare the old "working" config and the live one, and realized, that I miss natting.

I will make a try late during the night and will notify.

Thanks again!

These are the configs you should be looking at

access-list NoNAT extended permit ip

nat (inside) 0 access-list NoNAT

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Hope this helps

Hello,

I have only the global line, but the working only had the nat line, nothing else.

Do I really need the above 2, you mentioned?

If so, which IP and mask - IP and mask do I need?

Thanks again!

Could you please post your ASA configuration? you can alter some information such as public IP addresses and so on.

Regards,

interface Vlan1

nameif inside

security-level 100

ip address

no shutdown

!

interface Vlan2

nameif outside

security-level 0

ip address

no shutdown

!

interface Ethernet0/0

switchport access vlan 2

no shutdown

!

interface Ethernet0/1

switchport access vlan 1

no shutdown

!

management-access inside

!

! Default route to the provider

route outside 0.0.0.0 0.0.0.0 1

!

! ASDM access

asdm image disk0:/asdm-611.bin

asdm history enable

!

!

! NAT Translation for Internet access

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

!

! NAT Exempt configuration

access-list nonat_acl extended permit ip any 192.0.0.0 255.0.0.0

nat (inside) 0 access-list nonat_acl

!

! Specification on what to encrypt

access-list outside_100_cryptomap extended permit ip 192.0.0.0 255.0.0.0

!

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map outside_map 100 match address outside_100_cryptomap

crypto map outside_map 100 set peer

crypto map outside_map 100 set pfs

crypto map outside_map 100 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

tunnel-group 209.235.2.6 type ipsec-l2l

tunnel-group 209.235.2.6 ipsec-attributes

pre-shared-key testtest

hope this helps

the nat(inside)1 0.0.0.0 0.0.0.0 should work. Just to narrow this, I would first change the nat (inside)1 to the inside address. Such as

nat (inside)1 10.1.1.0 255.255.255.0

Also you might to enable logging so that you can see what is taking placing.

show xlate will show u the nat translations

yes, it will but you want to find out why the internal LAN is being blocked. I don't see a route inside command in your config so I only can assume that the inside is on the same subnet as the VLAN1 address.

Enable loggin to see why the traffic is being denied. You can use ASDM as well.

the route inside would depends on your network setup.

best of luck

Hi Pravinxyz,

I totally agree with you. I actually thaught the posting was from the original poster, I didn't realize it was you replying :-)

Hi,

Thanks, I really appreciate your good help!.

Will inform later.

Hi,

It is my pleasure to let you know, that I inserted the single NAT line, and can reach WAN.

Thank you! You saved my day.

thats good.

Nice to see thats it working