Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco ASA site to site VPN NAT problem

Posted on 2011-02-28
Medium Priority
Last Modified: 2012-05-11
I'm having a problem getting a site to site VPN working properly. Actually, I can get the VPN to work fine, I just can't access the Internet after I get it working. I've tried several things so far, so hopefully the config isn't too goofy. It's been a long day :-)

Here's what I'm trying to do.

We are on a subnet (of course). Our vendor is on a subnet. In order for this to work, they requested we nat our subnet to

Right now, I can ping an endpoint on the other side of the tunnel just fine...but I can't get out to the Internet. This obviously has something to do with the NAT'ing.

I have a 1 to 1 NAT configured for testing (my laptop Note the line:
static (inside,outside) netmask

I need any host on my internal network to get NAT'd  to the network for the VPN. Hopefully I don't need to create 50 statements like the one above.

Also note the line:
global (outside) 1 x.x.x.18

Usually I would put global (outside) 1 interface on this line. This was changed a few times during troubleshooting but I wanted to post my current config so I left this as is.

I know this is easy for someone, and I'm also sure I've spent way to much time on this...so I'm probably doing something that doesn't make sense. Any help is appreciated.

ASA Version 8.2(1) 
hostname ASA
enable password ew5hA7chK3mG.KBz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 no nameif
 no security-level
 no ip address
interface Vlan10
 nameif inside
 security-level 100
 ip address 
interface Vlan11
 nameif outside
 security-level 0
 ip address x.x.x.17 
interface Ethernet0/0
 switchport access vlan 11
interface Ethernet0/1
 switchport access vlan 10
interface Ethernet0/2
 switchport access vlan 10
interface Ethernet0/3
 switchport access vlan 10
interface Ethernet0/4
 switchport access vlan 10
interface Ethernet0/5
 switchport access vlan 10
interface Ethernet0/6
 switchport access vlan 10
interface Ethernet0/7
 switchport access vlan 10
ftp mode passive
clock timezone cdt -6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_in extended permit icmp any any echo-reply 
access-list outside_in extended permit icmp any any time-exceeded 
access-list outside_in extended permit icmp any any unreachable 
access-list VPN_splitTunnelAcl standard permit 
access-list inside_nat0_outbound extended permit ip 
access-list outside_1_cryptomap extended permit ip 
access-list nat2outside extended permit ip any 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNPool mask
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.18
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list nat2outside
static (inside,outside) netmask 
access-group outside_in in interface outside
route outside x.x.x.22 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.134 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local

tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.134 type ipsec-l2l
tunnel-group x.x.x.134 ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:FIFBA
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 28

Expert Comment

ID: 35007224
Static NAT won't work for this, because it will NAT all traffic going in that direction regardless of the destination.

You need policy NAT, where you use an access-list list.

If you need for the vendor to be able to initiate traffic, I think there's a way to accomplish it, but I'll have to do some digging.

Assisted Solution

ullas_unni earned 400 total points
ID: 35008063
the reason u lost internet connectivity is because u have static (inside,outside) netmask  which takes precedence over your nat (inside) global (outside).

you can try this:

access-list vpn_nat permit ip

static(inside,outside) access-list vpn_nat  

this might help you.
LVL 17

Accepted Solution

Kvistofta earned 1600 total points
ID: 35008437
As far as I can see this question is not neglected. Both answers above are relevant and should be rewarded, imho.

Best regards

Author Comment

ID: 35008675
Thanks for the help so far. Not sure where the 'neglected' comment came from. I never classified this as such. Anyway, if I understand correctly I need to get rid of the static NAT and modify my nat/global statements to look something like this...

access-list vpn_nat permit ip
static(inside,outside) access-list vpn_nat
nat (inside) 1 0 0
global (outside) 1 interface

Is this correct?

LVL 17

Assisted Solution

Kvistofta earned 1600 total points
ID: 35008695
Yes, it looks valid and correct.


Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question