ASA Remote access VPN & NAT

Discussion in 'Cisco' started by LVsFINEST, Jul 1, 2010.

  1. LVsFINEST

    LVsFINEST

    Joined:
    Oct 15, 2008
    Messages:
    8
    Hello,

    I'm trying to get a remote access VPN working using an ASA and Cisco VPN client with no split tunneling. The VPN works kinda, I can access devices on the inside when I connect, but I cannot access the Internet. I don't see any errors in the ASA logfile except these:

    Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
    Jul 1 04:59:15 gatekeeper %ASA-3-305006: portmap translation creation failed for udp src outside:192.168.47.200/54918 dst outside:xxx.xxx.xxx.xxx/53

    There's only one public IP address which is DHCP assigned to the outside interface. The inside network is 192.168.1.0/24 which is PAT'ed to the outside interface and the VPN network is 192.168.47.X.

    I think my problem is that the .47 net is not being NAT'ed to the outside properly and I'm not sure how to set it up exactly. I can't fathom how this is supposed to work since the the VPN net technically originates from the outside already.

    Here's all the relevant config:

    access-list vpn extended permit ip any 192.168.47.0 255.255.255.0
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 192.168.47.200-192.168.47.220 mask 255.255.255.0
    ip verify reverse-path interface outside
    ip audit info action alarm drop
    ip audit attack action alarm drop
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 2 192.168.47.0 255.255.255.0 outside
    static (inside,outside) tcp interface 3074 XBOX360 3074 netmask 255.255.255.255
    static (inside,outside) udp interface 3074 XBOX360 3074 netmask 255.255.255.255
    static (inside,outside) udp interface 88 XBOX360 88 netmask 255.255.255.255
    static (inside,outside) tcp interface https someids https netmask 255.255.255.255

    I can post more of the config if needed.

    Changing 'nat (outside) 2 192.168.47.0 255.255.255.0 outside' to 'nat (outside) 2 access-list vpn outside' yields these:

    Jul 1 06:18:35 gatekeeper %ASA-3-305005: No translation group found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

    So how do I properly NAT VPN traffic so it can reach the Internet?

    TIA
     
    LVsFINEST, Jul 1, 2010
    #1
    1. Advertising

  2. LVsFINEST

    LVsFINEST

    Joined:
    Oct 15, 2008
    Messages:
    8
    This is what was needed to NAT traffic properly:

    same-security-traffic permit intra-interface
    access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.47.0 255.255.255.0
    global (outside) 1 interface
    nat (inside) 0 access-list vpn
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 1 192.168.47.0 255.255.255.0

    ...just in case it helps someone someday.
     
    LVsFINEST, Jul 2, 2010
    #2
    1. Advertising

  3. LVsFINEST

    cyberbastion

    Joined:
    Mar 16, 2012
    Messages:
    1
    thanks. its work in my asa.
     
    cyberbastion, Mar 16, 2012
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ikkemij@xs4all.nl

    Remote access VPNs from remote location to ASA

    ikkemij@xs4all.nl, Jun 30, 2006, in forum: Cisco
    Replies:
    2
    Views:
    939
    Walter Roberson
    Jul 1, 2006
  2. pasatealinux
    Replies:
    1
    Views:
    2,067
    pasatealinux
    Dec 17, 2007
  3. BF
    Replies:
    2
    Views:
    768
  4. ted
    Replies:
    0
    Views:
    951
  5. mich
    Replies:
    0
    Views:
    3,258
Loading...

Share This Page