Hi Jan,

Thanks for your solution.

at the time of installation i have written NAT policy like

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 1.1.1.1-1.1.1.4

is it ok or i need to add golbal policy once again as per suggession i.e

global (outside) 1 1.1.1.2

nat (inside) 1

Regards,

Yugandhar. M

Actually, if i remember correctly if you use a range, the ASA will do dynamic NAT 1-1 which means only the first 4 ppl to send traffic through will work, so you should just do the 1.1.1.2 global, you don't need more than one address for regular internet traffic nat'ing. You need to remove the "global (outside) 1 1.1.1.1-1.1.1.4" first and then put in, a line with only one address in it like "global (outside) 1 1.1.1.2"

Hi Jan,

thanks alot for your solution.

Jan, i have one mor query that we are assigned 1.1.1.1 to outside interface and NATed with 1.1.1.2. at the same time can i use 1.1.1.3 for Mobile vpn users, to access the internal resources??

Regards,

Yugandhar. M

Sure you can, it's just another type of nat, known as a static nat. If you wan't external mobile users to be able to reach something inside using 1.1.1.3, do this :

lets say you wanted http/web traffic nat'ed towards an internal server :

static (inside,outside) tcp 1.1.1.3 80 80 netmask 255.255.255.255

and then allow the traffic in your outside access list to the 1.1.1.3 address.

If you want all ports nat'ed you would do :

static (inside,outside) 1.1.1.3 netmask 255.255.255.255

and then you only need to open the access in your outside access list.

Hi jan

littlebit confusion. i didnot get you. Let me explain my required setup

for example i have 1.1.1.1, 1.1.1.2, 1.1.1.3 Public IPs.

as per my last query i assigned 1.1.1.1 to Outside interface and outside and inside users can see the IP 1.1.1.2. For this you given solution.

second one is, we arehaving Client to site Mobile vpn users they should connect to firewall or my internal by using 1.1.1.3 IP address only. i.e in VPN client setttings VPN server IP shold be 1.1.1.3.

This is my requirement JAN. please help me.

Regards,

Yugandhar. M

As far as I can read from your posts what you want is to use a different IP than the one on your outside interface for terminating Remote Access VPNs. Afaik and what's supported up until 8.2(1) this is not possible. You will need to have this IP on an interface to be able to enable it for isakmp.

If you have any available interfaces then create one and call it "nameif VPN" and give it the 1.1.1.3 address. (You will need a switch with a dedicated VLAN in between your CE router / modem for this to be doable).

If someone has a better solution I am curious about it as well :-)

I have the same problem. My Outside IP address on physical interface is 1.1.1.2.

I need my VPN site-to-site to be terminated on IP 1.1.1.3 and I didn’t find a solution either.

Is it possible to use “policy NAT” and how? Is this a kind of solution of this problem without using switch and vlan interface?

Do you know where can I see or read if we need ip address on physical interface for ISAKMP?