How to Configure Cisco ASA 5505 to support VPN with 1-to-1 NAT

Posted on 2010-09-09
Last Modified: 2012-06-21
I have a Cisco ASA 5505 that I need to configure for a VPN (LAN-to-LAN) connection between a local office and a remote facility.  The problem is that the remote facility is requiring me to use a different IP address for the local server, so I am assuming NAT needs to be involved.

Basically, a single local server (LOCAL_SERVER) needs bi-directional communicate with 3 remote servers (REMOTE_SERVER1, 2, 3).  The remote servers need to "think" they are talking with a translated address (LOCAL_SERVER_NAT).

My present configuration is not working and I don't trust that I have the config correct.  Can someone please examine the config and tell me what needs to change?

Result of the command: "show running-config"

: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name XXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXX encrypted
name LOCAL_SERVER description Local server that will be communicating via VPN
name REMOTE_SERVER1 description Remote server to communicate via VPN
name REMOTE_SERVER2 description Remote server to communicate via VPN
name REMOTE_SERVER3 description Remote server to communicate via VPN
name LOCAL_SERVER_NAT description Translated IP for LOCAL_SERVER to communicate via VPN

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service MedTrak tcp
 description MedTrak
 port-object eq 9091
object-group service 3390 tcp
 description 3390
 port-object eq 3390
object-group network REMOTE_SERVERS
 description Remote servers involved in VPN communications
 network-object host REMOTE_SERVER3
 network-object host REMOTE_SERVER1
 network-object host REMOTE_SERVER2
access-list outside_access_in extended permit tcp any host dbServer eq 3389
access-list outside_access_in extended permit tcp any host dbServer eq 9091
access-list outside_access_in extended permit tcp any host dbServer eq 3390
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq 9091
access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) tcp interface 3389 dbServer 3389 netmask
static (inside,outside) tcp interface 9091 dbServer 9091 netmask
static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat_static
access-group outside_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address inside_nat_static
crypto map outside_map 1 set peer 192.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns dbServer interface inside
dhcpd wins dbServer interface inside
dhcpd lease 1048575 interface inside
dhcpd ping_timeout 900 interface inside
dhcpd domain xxxxx.local interface inside
dhcpd enable inside

tunnel-group 192.xx.xx.xx type ipsec-l2l
tunnel-group 192.xx.xx.xx ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
Question by:quibbly
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Accepted Solution

ullas_unni earned 500 total points
ID: 33639967
change the below acl

access-list inside_nat_static extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS


access-list inside_nat_static extended permit ip host LOCAL_SERVER_NAT object-group REMOTE_SERVERS

and create another acl..something like this:

access-list inside_nat extended permit ip host LOCAL_SERVER object-group REMOTE_SERVERS
and use it for the static:

static (inside,outside) LOCAL_SERVER_NAT  access-list inside_nat

Expert Comment

ID: 33640021
dont forget your nonat command

access-list nonat extended permit ip

Expert Comment

ID: 33640039
so the policy nat should have access-list from local ip to remote server


crypto acl ie. inside_nat_static should have entry for traffic from nat ip to remote server.

Expert Comment

ID: 33640095
why do we need no nat when he wants to do the nat??

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question