How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT

Posted on 2010-09-09
Last Modified: 2012-06-21
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility.  The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.

Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3).  The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).

My present configuration is not working and I don't trust that I have the config correct.  Can someone please examine the config and tell me what needs to change?

Result of the command: "show running-config"

: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
name LOCAL_SERVER description Local server that will be communicating via VPN
name REMOTE_SERVER1 description Remote server to communicate via VPN
name REMOTE_SERVER2 description Remote server to communicate via VPN
name REMOTE_SERVER3 description Remote server to communicate via VPN
name LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service MedTrak tcp
 description MedTrak
 port-object eq 9091
object-group service 3390 tcp
 description 3390
 port-object eq 3390
object-group network REMOTE_SERVERS
 description Remote servers involved in VPN communications
 network-object host REMOTE_SERVER3
 network-object host REMOTE_SERVER1
 network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface 3389 dbServer 3389 netmask
static (inside,outside) tcp interface 9091 dbServer 9091 netmask
static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat_static
access-group outside_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside

tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
Question by:quibbly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

ullas_unni earned 500 total points
ID: 33639967
change the below acl

access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS


access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS

and create another acl..something like this:

access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:

static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat

Expert Comment

ID: 33640021
dont forget your nonat command

access-list nonat extended permit ip

Expert Comment

ID: 33640039
so the policy nat should have access-list from local ip to remote server


crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.

Expert Comment

ID: 33640095
why do we need no nat when he wants to do the nat??

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question