[Webinar] Streamline your web hosting managementRegister Today


Cisco ASA site to site VPN NAT problem

Posted on 2011-02-28
Medium Priority
Last Modified: 2012-05-11
I'm having a problem getting a site to site VPN working properly. Actually, I can get the VPN to work fine, I just can't access the Internet after I get it working. I've tried several things so far, so hopefully the config isn't too goofy. It's been a long day :-)

Here's what I'm trying to do.

We are on a subnet (of course). Our vendor is on a subnet. In order for this to work, they requested we nat our subnet to

Right now, I can ping an endpoint on the other side of the tunnel just fine...but I can't get out to the Internet. This obviously has something to do with the NAT'ing.

I have a 1 to 1 NAT configured for testing (my laptop Note the line:
static (inside,outside) netmask

I need any host on my internal network to get NAT'd  to the network for the VPN. Hopefully I don't need to create 50 statements like the one above.

Also note the line:
global (outside) 1 x.x.x.18

Usually I would put global (outside) 1 interface on this line. This was changed a few times during troubleshooting but I wanted to post my current config so I left this as is.

I know this is easy for someone, and I'm also sure I've spent way to much time on this...so I'm probably doing something that doesn't make sense. Any help is appreciated.

ASA Version 8.2(1) 
hostname ASA
enable password ew5hA7chK3mG.KBz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 no nameif
 no security-level
 no ip address
interface Vlan10
 nameif inside
 security-level 100
 ip address 
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.17 
interface Ethernet0/0
 switchport access vlan 11
interface Ethernet0/1
 switchport access vlan 10
interface Ethernet0/2
 switchport access vlan 10
interface Ethernet0/3
 switchport access vlan 10
interface Ethernet0/4
 switchport access vlan 10
interface Ethernet0/5
 switchport access vlan 10
interface Ethernet0/6
 switchport access vlan 10
interface Ethernet0/7
 switchport access vlan 10
ftp mode passive
clock timezone cdt -6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_in extended permit icmp any any time-exceeded 
access-list outside_in extended permit icmp any any unreachable 
access-list VPN_splitTunnelAcl standard permit 
access-list inside_nat0_outbound extended permit ip 
access-list outside_1_cryptomap extended permit ip 
access-list nat2outside extended permit ip any 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNPool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.18
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list nat2outside
static (inside,outside) netmask 
access-group outside_in in interface outside
route outside x.x.x.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.134 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.134 type ipsec-l2l
tunnel-group x.x.x.134 ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:FIFBA
LVL 28

Expert Comment

ID: 35007224
Static NAT won't work for this, because it will NAT all traffic going in that direction regardless of the destination.

You need policy NAT, where you use an access-list list.

If you need for the vendor to be able to initiate traffic, I think there's a way to accomplish it, but I'll have to do some digging.

Assisted Solution

ullas_unni earned 400 total points
ID: 35008063
the reason u lost internet connectivity is because u have static (inside,outside) netmask  which takes precedence over your nat (inside) global (outside).

you can try this:

access-list vpn_nat permit ip

static(inside,outside) access-list vpn_nat  

this might help you.
LVL 18

Accepted Solution

Jimmy Larsson, CISSP, CEH earned 1600 total points
ID: 35008437
As far as I can see this question is not neglected. Both answers above are relevant and should be rewarded, imho.

Best regards

Author Comment

ID: 35008675
Thanks for the help so far. Not sure where the 'neglected' comment came from. I never classified this as such. Anyway, if I understand correctly I need to get rid of the static NAT and modify my nat/global statements to look something like this...

access-list vpn_nat permit ip
static(inside,outside) access-list vpn_nat
nat (inside) 1 0 0
global (outside) 1 interface

Is this correct?

LVL 18

Assisted Solution

by:Jimmy Larsson, CISSP, CEH
Jimmy Larsson, CISSP, CEH earned 1600 total points
ID: 35008695
Yes, it looks valid and correct.


Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question