https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798610#M983306 <P>I am trying to configure a remote access vpn on a PIX ASA (8.x code). The ASA also has a site to site vpn terminating to it. I've got the remote subnet that comes in over the site to site tunnel working so that it there is no NAT when talking to the inside subnet off the ASA. However, I'm also trying to bypass NAT for the remote access subnet (assigned ip's through a pool). Near as I can tell when I successfully connect via the Cisco VPN client, I cannot communicate with the inside subnet off the ASA. When I issue a ping from the vpn client to a host on the inside of the ASA, I can see the reply come back from the host but instead of bypassing NAT on the ASA, it gets translated to the outside interface address (as if it was the inside host initiating a connectiion to the outside world). I've never setup an ASA to do both site to site and remote access, so I've probably messed something up. Like I said, the site to site connection works fine, it's the remote access that fails to bypass NAT. I'm attaching the config. any help is appreciated.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 10:52:01 GMT matthewmphc 2019-03-11T10:52:01Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798610#M983306 <P>I am trying to configure a remote access vpn on a PIX ASA (8.x code). The ASA also has a site to site vpn terminating to it. I've got the remote subnet that comes in over the site to site tunnel working so that it there is no NAT when talking to the inside subnet off the ASA. However, I'm also trying to bypass NAT for the remote access subnet (assigned ip's through a pool). Near as I can tell when I successfully connect via the Cisco VPN client, I cannot communicate with the inside subnet off the ASA. When I issue a ping from the vpn client to a host on the inside of the ASA, I can see the reply come back from the host but instead of bypassing NAT on the ASA, it gets translated to the outside interface address (as if it was the inside host initiating a connectiion to the outside world). I've never setup an ASA to do both site to site and remote access, so I've probably messed something up. Like I said, the site to site connection works fine, it's the remote access that fails to bypass NAT. I'm attaching the config. any help is appreciated.</P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 10:52:01 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798610#M983306 matthewmphc 2019-03-11T10:52:01Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798611#M983307 <HTML><HEAD></HEAD><BODY><P>no crypto map mcmap 22 ipsec-isakmp dynamic dyn1</P><P>crypto map mcmap 1 ipsec-isakmp dynamic dyn1</P><P></P><P>dynamic map entries should be on top in priority sequence. </P><P>Also, I don't think you need to set reverse-route because you're not running rip or ospf on the firewall so it doesn't really matter (although I dont think it's hurting anything).</P><P>And per the other poster below, change your vpn pool and the corresponding nonat acl entry - that's definitely not helping.</P></BODY></HTML> Wed, 01 Aug 2007 11:29:38 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798611#M983307 srue 2007-08-01T11:29:38Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798612#M983308 <HTML><HEAD></HEAD><BODY><P>Why are you using addresses from the GigabitEthernet0/2 interface for the vpn pool?</P><P></P><P>And you should not use the nonat ACL for the L2L tunnel, create a new one that only defines the tunnel traffic and not the remote vpn pool.</P></BODY></HTML> Wed, 01 Aug 2007 11:30:36 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798612#M983308 mattiaseriksson 2007-08-01T11:30:36Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798613#M983309 <HTML><HEAD></HEAD><BODY><P>thanks both for the replies. Ok, I changed the pool to a 192.168.250.0 network. But if I change the L2L tunnel nat, how do I also do a separate NAT 0 for the remote access tunnel. I can only put in one nat 0 statement. I need the L2L tunnel subnet (192.168.2.0/24) to access the inside without NAT, and I need the remote access tunnel subnet (192.168.250.0/24) to access the inside without NAT. How do I accomplish this? thanks again</P></BODY></HTML> Wed, 01 Aug 2007 12:15:28 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798613#M983309 matthewmphc 2007-08-01T12:15:28Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798614#M983310 <HTML><HEAD></HEAD><BODY><P>leave your nonat statement alone for the L2L tunnel. its fine.</P></BODY></HTML> Wed, 01 Aug 2007 12:22:17 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798614#M983310 srue 2007-08-01T12:22:17Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798615#M983311 <HTML><HEAD></HEAD><BODY><P>I see a problem with nonat acl subnet,</P><P></P><P>access-list nonat extended permit ip 10.1.100.0 255.255.255.0 172.16.1.0 255.255.255.0 </P><P></P><P>inside interface has subnet of 255.255.248.0</P></BODY></HTML> Wed, 01 Aug 2007 16:21:49 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798615#M983311 ahsankhan 2007-08-01T16:21:49Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798616#M983312 <HTML><HEAD></HEAD><BODY><P>Thanks, I corrected it but the remote access vpn is still not working. Looks like when the vpn client initiates a connection inside I see it happen in the logs, but when the response comes back its getting PAT'd to the interface address.</P><P></P><P>what I don't understand is how does the remote access vpn know not to NAT? With the L2L vpn, you define the "match" statement and tell it to use the nonat acl.</P></BODY></HTML> Wed, 01 Aug 2007 16:51:50 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798616#M983312 matthewmphc 2007-08-01T16:51:50Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798617#M983313 <HTML><HEAD></HEAD><BODY><P>Matthew,</P><P></P><P>Your NAT related config should look like this:</P><P></P><P>access-list nonat extended permit ip 10.1.100.0 255.255.255.0 192.168.250.0 255.255.255.0</P><P>access-list nonat extended permit ip 10.1.96.0 255.255.248.0 192.168.2.0 255.255.255.0</P><P></P><P>access-list l2l_vpn extended permit ip 10.1.96.0 255.255.248.0 192.168.2.0 255.255.255.0</P><P></P><P>crypto map mcmap 21 match address l2l_vpn</P><P>no crypto map mcmap 21 match address nonat</P><P></P><P>nat-control</P><P>global (outside) 1 interface</P><P>nat (inside) 0 access-list nonat</P><P>nat (inside) 1 10.1.96.0 255.255.248.0</P><P></P><P>Do not forget to issue "clear xlate" after any change to NAT config.</P></BODY></HTML> Thu, 02 Aug 2007 09:39:35 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798617#M983313 mattiaseriksson 2007-08-02T09:39:35Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798618#M983314 <HTML><HEAD></HEAD><BODY><P>Thank you for your assistance. It is now working fine. My mistake apparently was not creating a separate acl for the L2L match statement in the crypto map.</P></BODY></HTML> Thu, 02 Aug 2007 16:16:14 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798618#M983314 matthewmphc 2007-08-02T16:16:14Z https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798619#M983315 <HTML><HEAD></HEAD><BODY><P>Glad it helped.</P><P></P><P>You could mark this as resolved to the benefit of others.</P></BODY></HTML> Thu, 02 Aug 2007 17:02:59 GMT https://community.cisco.com/t5/network-security/vpn-issue-on-asa/m-p/798619#M983315 mattiaseriksson 2007-08-02T17:02:59Z