Showing results for 
Search instead for 
Did you mean: 

asa 5505 web acces


I have a problem with my setup on asa 5505.

Version of cisco is 8.0.2

At the begin all the IP in the inside interface have a web access.

I add a static rule for one IP of the inside interface , and after for this IP the web access does not run.

My question is How can I resolve this problem ?

My configuration is :

interface Vlan1

nameif inside

security-level 100

ip address

Interface Vlan2

nameif outside

security-level 0

ip address

static(inside,outside) netmask

For the inside IP the web access does not run.

Thanks by advance for your response

Rising star

- Is IP a valid IP in your network?

- If you are talking about web access to the internet, is not a public IP, do you have another NAT device to nat it to a public IP?

- If you are positive on the above question, can you "clear xlate" and try again.

Highlighted is the IP Wan of the Cisco.

I have a route to a getway :

route outside 999.999.999.999 1

No is not a valid IP.

I am talking about web acces to the internet

I don't have another NAT device.

I had to say that I need to translate the IP in because I am using it in a VPN :

access-list no_nat extended permit ip host

crypto map vpn 11 set peer 888.888.888.888

The VPN is working.

I had to translate the IP because I will have 11 Cisco for 11 diferents sites and they all will have the same local IP ( and I need to setup a VPN between all this 11 Cisco and my Cisco in central.


1. Based on your info, you have overlap IP between the sites. So you do need NAT ip to before the packet goes into VPN tunnel. ACL no_nat will not be used.

2. Will the traffic to the internet go to VPN tunnel first and then access internet from your central site? Or it will access the internet locally? I don't have the full config of this ASA and not sure if you are using split-tunnel.

3. My guess is:

- You have dynamic nat configured on this ASA to NAT the traffic to internet

- After you add static NAT for host, it will take priority over dynamic nat and as a result it will be NATed to a private IP. Therefore, no internet access anymore.

- If the above is true, you should use a Policy static NAT here.

static (inside,outside) access-list VPN

access-list vpn permit ip host


Traffic to Internet must be locally.

A part of my configuration is :

interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address 888.888.888.888


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


boot system disk0:/asa802-k8.bin

access-list no_nat extended permit ip

access-list EURODATA extended permit ip host

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1

static (inside,outside) access-list EURODATA

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set set2 esp-3des esp-sha-hmac

crypto map vpn 11 match address EURODATA

crypto map vpn 11 set pfs group5

crypto map vpn 11 set peer 999.999.999.999

crypto map vpn 11 set transform-set set1

crypto map vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

With this configuration :

Internet locally for is OK

VPN for is not OK , when a look the packet in cisco central I see the ip comming but not


You need create another ACL by using NATed IP for "crypto map vpn 11 match address ". Please refer to the following example:

Can you please remove "nat (inside) 0 access-list no_nat" and "clear xlate"? then "clear crypto isa sa" and "clear crypto ipsec sa" to let VPN tunnel to be rebuilted.



I followed your instructions and all is OK now.

We can say that the problem is resolved.

Many thanks for your help

Best regards

Eric Arnould , EURODATA France