Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1017
Views
0
Helpful
4
Replies

ASA attached to a Cisco Router 2921

bhicks
Level 1
Level 1

‎04-22-2010 06:25 AM - edited ‎03-04-2019 08:15 AM

Hi guys,

Thanks for all the help thus far and I am nearing completion of my project.  I have one last piece to finish.

I hooked the asa to a wan port, got my routing set and I am havng this problem.

1. With NAT enabled on that wan port of the router, I can get to the internet no problem.  But I cannot get in via vpn to the lan. I can connect to the vpn, but I cannot get to the lan.

2. If if turn off nat on the router, I cannot get to the internet, but I can connect to the lan through the vpn tunnel from home.

Is there a way to pass incoming traffic not initiated from the inside to pass directly to the inside interface with being natted?

Our asa does nat on certain ports to inside IP's. It appreas that the router is natting thoses addresses on the router wan port.

(WAN: ISP is) ASA (LAN(172.25.0.254/24)-----------(WAN: 172.25.0.100/24) ROUTER(LAN: 172.24.201.248/16)-----------SWITCHES

Lan side of the router is our default gateway.  Currently I couldn't get traffic to work both wasy so the router is disconnected and the asa is back as being the edge device.

Any ideas guys?


Thanks in advance.

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎04-22-2010 07:21 AM

You may have to post your VPN settings for your users for me to be able to try to help you. You'll need nat configured on the router if that's the last device out and nothing else is natting for you.

So, in your config you probably have something like:

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Do you have a address pool set up for your users, and do you get an address from this pool? Can you post that portion of the config?

I'll also need to see your group-policy and tunnel-group for the user group that's having the problem.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

bhicks
Level 1
Level 1
In response to John Blakley

‎04-22-2010 07:39 AM

Here are my configs.  With this config, users can access the internet out going.  VPN's use pool in coming.  NAT does not.

On the router g0/1 is the wan port connected to the asa. g0/0 is the local lan side port of the router (plugged into our switches).

Thanks.

63670-WFSRTR_20100421.txt.zip
0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to bhicks

‎04-22-2010 07:46 AM

Why do you have your outside connections natting to inside? This line "global (inside) 1 interface"....have you tried taking it out?

HTH, John *** Please rate all useful posts ***
0 Helpful

bhicks
Level 1
Level 1
In response to John Blakley

‎04-22-2010 07:49 AM

The confg was done from the GUI on the ASA and I didn't change anything besides the lan side ip on it.  I did not try taking it out, but I will as soon as I can and see what happens.

Thanks.  Your help is appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card