PAT/NAT VPN question

Discussion in 'Cisco' started by justin_ltg@yahoo.com, Jun 14, 2007.

  1. Guest

    I just upgraded my pix 506 to an asa 5505. I had 3 site to site VPN's
    previously set up. 1 dynamic and 2 static. All VPNs have functioned
    well with the 506. I noticed after the cut over to the ASA my VPNs
    kept dropping connections, and the dynamic VPN would not hook up at
    all. (I had to grab the temporary assigned IP to and make it a static
    VPN just to get her up; this is something I am working out later)
    Oh, every VPN is setup straight to a PIX 501

    My question is with the VPN's dropping. When I went to the ASA, I
    changed my global command to only include 68.75.X.YZ ; I did this so I
    could free up some of my usable IP's since I was running out. Well of
    course the VPNs were dropping connections but then reestablishing
    themselves.

    So to alleviate this (my attempt to) I added back in the rest of the
    IP's to match the config that I had in my 506. So my question is,
    would reducing the number of IPs issued by the global command force
    the VPN connections to drop? We only have about 50 users internally.

    THis is my config now:

    global (outside) 1 68.75.X.XX-68.75.X.XX
    global (outside) 1 interface
    global (outside) 1 68.75.X.ZX
    global (outside) 1 68.75.X.YZ
    nat (inside) 0 access-list VPN
    nat (inside) 1 10.0.0.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0

    This is what it was


    global (outside) 1 interface
    global (outside) 1 68.75.X.ZX
    nat (inside) 0 access-list VPN
    nat (inside) 1 10.0.0.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0

    Thanks for any NAT/PAT/VPN insight.

    Justin.
    , Jun 14, 2007
    #1
    1. Advertising

  2. maco

    Joined:
    Jun 13, 2007
    Messages:
    10
    The info you posted is not enough..

    I don't understand if you are using NAT/PAT for the VPN or all VPN are not translated (nat 0).
    If they are not translated then no NAT/PAT config is related to your problem.

    what about some debug of isakmp and ipsex?
    maco, Jun 15, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul Emond
    Replies:
    3
    Views:
    3,171
    Chris
    Oct 24, 2003
  2. BinSur
    Replies:
    4
    Views:
    5,760
    BinSur
    Jan 13, 2006
  3. spec
    Replies:
    2
    Views:
    1,406
    Walter Roberson
    May 25, 2006
  4. Steven Carr
    Replies:
    7
    Views:
    710
  5. tsimmons

    VPN to NAT/PAT

    tsimmons, Mar 10, 2010, in forum: Cisco
    Replies:
    4
    Views:
    946
    tsimmons
    Mar 22, 2010
Loading...

Share This Page