I have a problem with my setup on asa 5505.
Version of cisco is 8.0.2
At the begin all the IP in the inside interface have a web access.
I add a static rule for one IP of the inside interface , and after for this IP the web access does not run.
My question is How can I resolve this problem ?
My configuration is :
ip address 188.8.131.52 255.255.0.0
ip address 184.108.40.206
static(inside,outside) 10.20.1.1 220.127.116.11 netmask 255.255.255.255
For the inside IP 18.104.22.168 the web access does not run.
Thanks by advance for your response
- Is IP 10.20.1.1 a valid IP in your network?
- If you are talking about web access to the internet, 10.20.1.1 is not a public IP, do you have another NAT device to nat it to a public IP?
- If you are positive on the above question, can you "clear xlate" and try again.
22.214.171.124 is the IP Wan of the Cisco.
I have a route to a getway :
route outside 0.0.0.0 0.0.0.0 999.999.999.999 1
No 10.20.1.1 is not a valid IP.
I am talking about web acces to the internet
I don't have another NAT device.
I had to say that I need to translate the IP 126.96.36.199 in 10.21.1.1 because I am using it in a VPN :
access-list no_nat extended permit ip host 10.21.1.1 10.20.0.0 255.255.0.0
crypto map vpn 11 set peer 888.888.888.888
The VPN is working.
I had to translate the IP 188.8.131.52 because I will have 11 Cisco for 11 diferents sites and they all will have the same local IP (184.108.40.206) and I need to setup a VPN between all this 11 Cisco and my Cisco in central.
1. Based on your info, you have overlap IP between the sites. So you do need NAT ip 220.127.116.11 to 10.21.1.1 before the packet goes into VPN tunnel. ACL no_nat will not be used.
2. Will the traffic to the internet go to VPN tunnel first and then access internet from your central site? Or it will access the internet locally? I don't have the full config of this ASA and not sure if you are using split-tunnel.
3. My guess is:
- You have dynamic nat configured on this ASA to NAT the traffic to internet
- After you add static NAT for host 18.104.22.168, it will take priority over dynamic nat and as a result it will be NATed to a private IP. Therefore, no internet access anymore.
- If the above is true, you should use a Policy static NAT here.
static (inside,outside) 10.20.1.1 access-list VPN
access-list vpn permit ip host 22.214.171.124 10.20.0.0 255.255.0.0
Traffic to Internet must be locally.
A part of my configuration is :
ip address 126.96.36.199 255.255.0.0
ip address 888.888.888.888
switchport access vlan 2
boot system disk0:/asa802-k8.bin
access-list no_nat extended permit ip 10.21.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list EURODATA extended permit ip host 188.8.131.52 10.20.0.0 255.255.0.0
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.21.1.1 access-list EURODATA
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set set2 esp-3des esp-sha-hmac
crypto map vpn 11 match address EURODATA
crypto map vpn 11 set pfs group5
crypto map vpn 11 set peer 999.999.999.999
crypto map vpn 11 set transform-set set1
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
crypto isakmp policy 2
no crypto isakmp nat-traversal
With this configuration :
Internet locally for 184.108.40.206 is OK
VPN for 220.127.116.11 is not OK , when a look the packet in cisco central I see the ip 18.104.22.168 comming but not 10.21.1.1
You need create another ACL by using NATed IP 10.21.1.1 for "crypto map vpn 11 match address
Can you please remove "nat (inside) 0 access-list no_nat" and "clear xlate"? then "clear crypto isa sa" and "clear crypto ipsec sa" to let VPN tunnel to be rebuilted.
I followed your instructions and all is OK now.
We can say that the problem is resolved.
Many thanks for your help
Eric Arnould , EURODATA France