99.99.99.99 is the IP Wan of the Cisco.

I have a route to a getway :

route outside 0.0.0.0 0.0.0.0 999.999.999.999 1

No 10.20.1.1 is not a valid IP.

I am talking about web acces to the internet

I don't have another NAT device.

I had to say that I need to translate the IP 20.30.44.1 in 10.21.1.1 because I am using it in a VPN :

access-list no_nat extended permit ip host 10.21.1.1 10.20.0.0 255.255.0.0

crypto map vpn 11 set peer 888.888.888.888

The VPN is working.

I had to translate the IP 20.30.44.1 because I will have 11 Cisco for 11 diferents sites and they all will have the same local IP (20.30.44.1) and I need to setup a VPN between all this 11 Cisco and my Cisco in central.

1. Based on your info, you have overlap IP between the sites. So you do need NAT ip 20.30.44.1 to 10.21.1.1 before the packet goes into VPN tunnel. ACL no_nat will not be used.

2. Will the traffic to the internet go to VPN tunnel first and then access internet from your central site? Or it will access the internet locally? I don't have the full config of this ASA and not sure if you are using split-tunnel.

3. My guess is:

- You have dynamic nat configured on this ASA to NAT the traffic to internet

- After you add static NAT for host 20.30.44.1, it will take priority over dynamic nat and as a result it will be NATed to a private IP. Therefore, no internet access anymore.

- If the above is true, you should use a Policy static NAT here.

static (inside,outside) 10.20.1.1 access-list VPN

access-list vpn permit ip host 20.30.44.1 10.20.0.0 255.255.0.0

Traffic to Internet must be locally.

A part of my configuration is :

interface Vlan1

nameif inside

security-level 100

ip address 20.30.44.250 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 888.888.888.888

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

boot system disk0:/asa802-k8.bin

access-list no_nat extended permit ip 10.21.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list EURODATA extended permit ip host 20.30.44.1 10.20.0.0 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 10.21.1.1 access-list EURODATA

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set set2 esp-3des esp-sha-hmac

crypto map vpn 11 match address EURODATA

crypto map vpn 11 set pfs group5

crypto map vpn 11 set peer 999.999.999.999

crypto map vpn 11 set transform-set set1

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

With this configuration :

Internet locally for 20.30.44.1 is OK

VPN for 20.30.44.1 is not OK , when a look the packet in cisco central I see the ip 20.30.44.1 comming but not 10.21.1.1

You need create another ACL by using NATed IP 10.21.1.1 for "crypto map vpn 11 match address ". Please refer to the following example:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K05272321

Can you please remove "nat (inside) 0 access-list no_nat" and "clear xlate"? then "clear crypto isa sa" and "clear crypto ipsec sa" to let VPN tunnel to be rebuilted.

HTH

I followed your instructions and all is OK now.

We can say that the problem is resolved.

Many thanks for your help

Best regards

Eric Arnould , EURODATA France