NAT VPN tunnel and still access Internet traffic


Thank you in advance for any help you can provide.

I have a server with the IP that needs to access a subnet remote from, through the Internet.  However, before the server can access the remote subnet, the server IP must be NAT'ed to because the VPN gateway remote (which is not under my control) allows access to other customers who have the same subnet address that we do on our local network.

We have a 2801 Cisco (running c2801-advsecurityk9 - mz.124 - 15.T9.bin) set up to make the NAT.  It is the only gateway on our network.

I have configured the Cisco 2801 with the following statements of NAT and the relevant access lists:

access-list 106 allow host ip

NAT extended IP access list
refuse the host ip
deny ip
ip permit any

route allowed ISP 10 map
corresponds to the IP NAT

IP nat EMDVPN pool netmask
IP nat inside source list 106 pool EMDVPN
IP nat inside source map route ISP interface FastEthernet0/1 overload

When the server ( attempts to ping on the subnet of devices, the VPN tunnel is established successfully.  However, after that, the server is no longer able to access the Internet because the NAT translation for has changed since the external IP address of the router (FastEthernet0/1) at

The documentation I've seen on the site of Cisco says that this type of Setup allows only host subnet communication.  Internet access is not possible.  However, maybe I missed something, or one of you experts can help me.  Is it possible to configure the NAT router traffic destined to the VPN tunnel and still access the Internet by using the dynamic NAT on FastEthernet0/1?

Once again, thank you for any help you can give.




Rather than use a pool for NAT - > 192.168.50.x

ACL 102 permit ip host

RM-STATIC-NAT route map permit 10
corresponds to the IP 102

IP nat inside source static card expandable RM-STATIC-NAT route

ACL 101 deny host ip
ACL 101 by ip any
overload of IP nat inside source list 101 interface FastEthernet0/1

VPN access list will use the source as *.

Let me know if it works.



Tags: Cisco Security

Similar Questions

  • MY old camera was a 60 d with 7.1 raw format and the new is 6 d. How to make a form that will allow me to use both cameras in raw and still access my old 7.1 raw files? I am using 11 elements,

    using 11 items, can I get a plug-in that supports both cameras and still access my old 7.1 raw files

    you need VC 7.3 or better.  You can update PES 11-VC 8.0

  • With NAT VPN tunnels

    I have read on several posts on the topic and still think I'm missing something, I'm looking for help.

    Basically, I'm now implementing multiple VPN tunnels for external connections. We strive to keep the external "private addresses" our basic using NAT network.

    I can get the Tunnel to work without problems using the ACL SHEEP; However, this technique requires that our internal network is aware of their external addresses "private." Our goal is to enter an address on the inside that is NAT to the external address 'private' and then shipped via the VPN tunnel. Basically to hide the external address 'private' of our internal systems that they would appear as thought the connection was one of our own networks.

    The reverse is true coming from their external 'private' network. Any information of "their" private network external origin would result in our 'private' on arrival address space.

    Is this possible? I am attaching a schema, which could help.


    Yes, this should be possible. Lets say you allocate as the address that you use to present the external server

    On your ASA device

    public static (exterior, Interior) netmask

    You will need to make sure that when the system tries to connect to it is routed to the device of the SAA.



  • Policy nat for L2L and external access


    I'm running into an interesting question with a 506th PIX 6.3 (4)

    I created a VPN with our central location and implemented a policy nat on the 506th NAT their local IPs to This NATing works very well except for servers that also provide a static external IP address. I made a few captures of packets and traffic is crossing the VPN as expected and what actually at the remote end, but the answers are nat would be on the 'outside' ip of the host instead of the NAT. political I can ping other hosts on the remote network very well from the central location, not just those who have a static external IP address.

    Example: is my central site and try to ping a server with an IP address of through the VPN. The traffic leaves the site central, is encrypted and delivered the firewall remotely. The firewall remotely translated> (the REAL Server IP) and delivers the package and the server responds, but answers are nat would be its public ip address of 75.X.X.X instead of

    Any thoughs on how I can work around this problem?

    Here are the relevant config:

    permit for line of policy-nat access-list 1 ip

    allowed for access policy-nat-list line 2 ip

    allowed for line of policy-nat to access list 3 ip

    list of access vpn-sheep allowed ip

    list of access vpn-sheep allowed ip

    list of access vpn-sheep allowed ip

    NAT (inside) 0-list of access vpn-sheep

    NAT (inside) 1 0 0

    Global 1 interface (outside)

    public static 75.x.x.x (indoor, outdoor) netmask 0 0

    public static (inside, outside) - list of access policy-nat 0 0

    Try to rearrange your static rules:

    Do the static strategy, the first to be read by the pix

    public static (inside, outside) - list of access policy-nat 0 0

    public static 75.x.x.x (indoor, outdoor) netmask 0 0

    See how it goes

  • ASA base S2S VPN, Tunnel establishes only when interesting traffic hits to end distance

    Dear all,

    I need your help to solve the problem mentioned below.

    VPN tunnel established between the unit two ASA.   A DEVICE and device B

    (1) if interesting traffic initiates a LAN device. traffic ACL hits. TUNEL is not coming

    (2) if interesting traffic initiates B LAN device. Tunnel will establish all the works of serivces

    (3) after the Tunnel device establishmnet B. We forced to tunnel down at both ends. Interesting again traffic initiates device a surpringly tunnel

    will go up.   After 2 or 3 days (after life expire 86400 seconds) initiated traffic of device A, tunnel will not esatblish.

    (it comes to rescue link: interesting won't be there all the time.)

    checked all parametrs, everthing seems fine. Here are the logs of attached but not more informative debugging on the balls. Please suggest.

    February 2, 2010 13:23:17: % ASA-7-713236: IP = 81.145.x.x, IKE_DECODE new SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 496

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:18: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:23: % ASA-6-713219: IP = 81.x.x.x, KEY-ACQUIRE Queuing messages are treated when SA P1 is finished.

    February 2, 2010 13:23:25: % ASA-7-715065: IP = 81.x.x.x, history of mistake IKE MM Initiator WSF (struct & 0x1abb1e10) , : MM_DONE, EV_ERROR--> MM_WAIT_MSG2, EV_RETRY--> MM_WAIT_MSG2, EV_TIMEOUT--> MM_WAIT_MSG2 NullEvent--> MM_SND_MSG1, EV_SND_MSG--> MM_SND_MSG1, EV_START_TMR--> MM_SND_MSG1, EV_RESEND_MSG--> MM_WAIT_MSG2, EV_RETRY

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 ending: flags 0 x 01000022, refcnt 0, tuncnt 0

    February 2, 2010 13:23:25: % ASA-7-713906: IP = 81.x.x.x, sending clear/delete with the message of reason

    February 2, 2010 13:23:25: % ASA-3-713902: IP = 81.x.x.x, counterpart of drop table counterpart, didn't match!

    February 2, 2010 13:23:25: % ASA-4-713903: IP = 81.x.x.x, error: cannot delete PeerTblEntry

    Hi, I have a similar problem a long time ago. You can choose which set up the tunnel in your crypto card:

    card crypto bidirectional IPsec_map 1 set-type of connection

    I hope that it might help to solve your problem. Kind regards.

  • ASA Cisco IPSEC VPN tunnel has not managed the traffic

    Hi guys

    I am trying to set up a new connection IPSEC VPN between a Cisco ASA 5520 (verion 8.4 (4)) and Checkpoint Firewall. I managed to establish the phases IKE and IPSEC and I can see the tunnel is UP. But I can't see any traffic through the tunnel. I checked the cryptomap both ends and try to test with a contionuous ping from within the network of the SAA.

    I made a screenshot of ICMP packets but cannot see in ASA. I welcomed the icmp inside ASA interface.

    I did a package tracer and it ends with a fall of vpn - filter the packets. But can not see any configured filters...

    Your help is very appreciated...

    Thank you

    You probably need to add nat negate statements:-something like.

    object-group network OBJ-LOCAL
    object-group network OBJ / remote
    NAT static OBJ-LOCALOBJ-LOCAL source destination (indoor, outdoor) static OBJ-REMOTE OBJ-REMOTE-no-proxy-arp

    You are running 8.4 nat 0 has been amortized

  • How to install Win7 on new hard drive and still access all the files from the hard drives of previous Vista?

    I currently have a Windows Vista PC. It has two SATA drives, one with the operating system, the one I use for storage.

    I want to buy a new SATA hard drive and install a new copy of Windows 7 top.

    I want to know the steps to follow to do this. My plan is this:

    1. turn the pc power off and open the case.

    2. remove the old hard disks

    3. plug the new empty hard drive

    4. turn on the pc and the insertion of the disc to install to Win7 for DVD-ROM drive

    5. enter in the bios and put the DVD-ROM as first boot device

    6. install win 7 on new hard drive.

    Is this correct?

    Because my next question is important:

    7. Turning off the computer.

    8 reconnect the two old hard drives. New total number of SATA drives connected = three.

    Now when I restart the PC and login to Win 7, it lists two other drives as, for example, D:\ and E:\ readers?

    How can I make this work?

    Thank you very much!

    Thanks for your reply, but I don't want to dual boot. I just want to have the hard drive as the master drive Windows7 and the old two drives as slaves, where I can access files as the pictures and letters.

    Any help would be appreciated!

    Well, I would disconnect all drives hard current interns, then connect the new hard drive, reinstall Windows 7, re - attach the old readers as slaves and copy all the data you need to on the disc of Windows 7.


    How connect a SATA Hard Disk as a slave .
    Single, master and slave drives and Jumpering

  • How to take movies on my macbook air to free up memory and still access those I downloaded from iTunes?

    I want to free up the memory on my macbook air and have 65 GB of movies hogging the space. I don't want to lose them forever if you want to know how I can free up memory and again back to the film at some point in the future.

    If they were purchased through iTunes, you can download again them at any time.

    However, there is no way to stream movies, so you have to download the entire file again for a movie.

    Open iTunes > iTunes Store > purchased (on the right side of the window) > movies.

    Make sure that the sort is set to "Not in my library" If you try to redownload something that has been removed from the computer.

  • The remote VPN Clients and Internet access

    I apologize in advance if this question has already been addressed. I am currently using a PIX Firewall Version 6.1 520 (2) running. I have several remote users that VPN for the PIX. Once the VPN tunnel is started, they are more able to connect to internet from their local computers. Is there a configuation on the PIX that allows remote users to have access to the internet when you are connected to the PIX.


    Jeff Gulick

    The Pix does not allow traffic enter and exit on the same interface. Therefore, a VPN user cannot access the Internet through the tunnel. If you use the Cisco client, enable tunneling split so that all traffic through the tunnel.

    If you use PPTP, you can turn off the option that makes the remote network, the default gateway. However, local routes should be added to these clients when they connect.

    Or you can use an additional interface on the firewall. One that puts an end to VPN tunnels and another providing for Internet connectivity. In this way the traffic is not enter/leave on the same interface.

    Of course, it is preferable if the customer Internet traffic does not go through the tunnel. It wastes your bandwidth and has security problems as well. I suggest you use the client to Cisco and the split tunneling.

  • VPN works well but domestic internet access via router


    I am connected to my Office VPN (Cisco Client) and I am able to access all brach office servers and network devices using their IP addresses internal.

    I can also access the internet.

    But when I do a tracert for office servers it is routed via office network. But when I tracrt to the internet via my router domestic routing. ??

    Isn't it supposed to go through my business network.

    Any help would be great. Thank you

    It's called a VPN split tunnel.  They channel the resources of the company by the VPN and let your internet go out via your local internet connection. Some companies divide tunnel and a few all traffic, including internet (complete tunnel).

    There is nothing you can do. This is how your system admins have set up.

  • Site to site VPN, I need all internet traffic to exit the site.

    I have 2 sites connected via a pair of SRX5308

    A =

    IP WAN =

    B =

    IP WAN =

    Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP, even if it is from the network B.

    On my I have set up a route of the ISP, then a value by default 0/0 to it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.

    I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.

    Anyone have any ideas?

    I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.

    Thank you


    After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.

    (1) use the wizard at both ends to implement a normal VPN that connects the two segments of network and

    (2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the remote IP address.

    (c) to apply the change

    3) go to the VPN-> VPN policy on the head end site ( and click Edit

    (a) disable Netbios

    (b) select "None" from the drop-down list the local IP address

    (c) to apply the change

    Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.

  • Impossible to achieve secondary with VPN tunnel


    I configured a Cisco Pix Firewall to my VPN tunnels and which works fine when I connect to the local network where the Pix is connected.

    When I want to communicate with a server on a secondary location over the vpn tunnel I get no response.

    The pix can ping the server, but I can't ping the server via the vpn tunnel rooms

    PIX from IP

    Router IP address

    Secondary router IP address

    Secondary server IP address

    The default gateway on the local network is

    This router is a gre tunnel 3 of to

    On this router, there is a default route for the pix (for internet).


    Make sure that you send the IP pool configured on the PIX of the secondary router/server. just try to ping the IP address that the VPN client is obtained from the server...

    You must also make sure that you add this subnet secondary access sheep... otherwise list your ip pool will see the natted IP server...

    on sheep access list, allow all traffic from the pool of secondary for the IP pool...

    I hope this helps... all the best...

  • Bizzare vShield Edge-NAT/VPN problem Post - 5.1 upgrade

    Hoping someone can shed some light on this issue for us - the TLDR is that NAT rules seem to be causing unexpected behavior on the VPN traffic after a vCloud 1.5 to 5.1 upgrade.

    Background: We work with a hosting provider to manage our vCloud environment. Quite simple - 2 ESXi hosts, a few NFS data stores. They have recently updated us of 1.5 and 5.1. For most of our committees, we have just one network of vSE/Routed that connects a subnet to a network of "WAN" and pulls a public IP address from a pool. Send us (NAT network address) and leave (firewall) ports (for example port 3389 for RDP) to the virtual machines selected. Most of these networks also have a VPN tunnel from site to site with a physical Firewall through the internet. After the upgrade, we went and converted our rules to match the period of initial and active INVESTIGATION "multiple interfaces" - effectively subtracts to compatibility mode. Everything was going well (even for devices of vSE always in compatibility mode)

    Question: We first noticed this, when a customer reported that they are unable to access a virtual machine via RDP using it is internal (protected VSE) IP through a VPN tunnel but could access the virtual machine via RDP using its public hostname/IP address. Allow us all traffic between the VPN (firewall has a whole: a rule for VPN traffic). When we connected to troubleshoot (just thinking that the VPN was down), we found that we could connect to any port on the computer through the VPN tunnel except 3389remote virtual. I can ping from the local subnet to the VM troubled on the VAPP network without problem. I was able to connect to other ports that have been opened on the remote virtual machine without problem. I couldn't connect to 3389 through the VPN.

    We thought he could be isolated, but found the question on each VSE we have: If there were a the DNAT rule to translate the inbound for a particular port, this port would be insensitive when traffic through the VPN tunnel that is meant to be the target of the DNAT rule.

    Someone has an idea what could be the cause?

    Looks like it is a problem experienced during the upgrade. These hidden firewall rules will not disappear until the firewall configuration is updated in some way. So go as - upgrade

    (1) upgrade VCD

    (2) update VSM

    (3) to redeploy the entry door to upgrade the edge of the gateway to version 5.1

    (4) convert the firewall rules to the new format (where firewall rules have no management interface or traffic)

    (5) to change the properties of the bridge and the multiple interface mode

    (6) change the specification of the firewall somehow, that is to add a dummy firewall and remove it, turn off, then turn on the firewall, etc..

    Which should cause the deny rule go away

  • VPN tunnel with U-turn


    I am trying to understand the functioning of DNS with u-turn. I'm looking for in the configuration of VPN tunnel between ASA 5510 (main office) and PIX 506 (remote).

    Currently all the jobs in the remote offices are connected through VPN tunnel between PIX506 and VPN 3000 to a hub, so that they use the internal DNS server at the main office. I need to use u-Turn on ASA to allow remote surfing the net users. With u-Turn config, remote workstation still will use DNS server in the main office to resolve the IP addresses?

    Thank you


    Hey Forman.

    SplitDNS and Splittunneling are both used with remote access clients. In your case, that you try to configure a site to site VPN tunnel, so to 'divide' traffic you will use the crypto acl to set valuable traffic to the VPN. However, this ACL uses IP addresses in order to determine whether the traffic must be encrypted or not, this is why your DNS lookup would have to occur before the traffic is encrypted. Then, you can set the DNS server for the remote network to be the DNS through the VPN tunnel and ensure that the DNS server's IP address is part of the interesting traffic or you must ensure that the local DNS server is able to resolve names.

    In the previous case where you use u-turn, all gets automatically tunnele so you don't have to worry about your DNS queries in the tunnel.

    I hope that this explains the behavior.

    Kind regards


  • Juggling a 501-501 idle VPN tunnel

    Here is the config for the remote PIX 501.  I read the article that deals with 'enable or disable ISAKMP KeepAlive'.  I configured isakmp KeepAlive on the two PIX 501.  When there is no traffic, the VPN usually drops, sometimes within a few hours, sometimes within a few days.  It boils down to right upward when the remote start traffic.

    But my questions are: can I configure it to always stay up?  A missed keepalive is the origin of the tunnel to deleted?  Is this how it is 501?

    Thanks for all the comments.

    Don - pix # sh conf
    : Saved
    : Written by enable_15 at 11:42:11.280 UTC Saturday, January 2, 1993
    6.3 (5) PIX version
    interface ethernet0 car
    interface ethernet1 100full
    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    activate the encrypted password
    encrypted passwd
    hostname don - pix
    domain name
    fixup protocol dns-length maximum 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol 2000 skinny
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names of
    name ocean-pix-outside
    list-access internet-traffic permit ip any
    Allow Access-list allowed a whole icmp ping
    permit access-list toOcean-nat ip 255.255
    . 255.0
    access-list gift-to-ocean-vpn ip allow 255.
    pager lines 24
    ICMP deny everything outside
    Outside 1500 MTU
    Within 1500 MTU
    IP address outside dhcp setroute
    IP address inside
    alarm action IP verification of information
    alarm action attack IP audit
    PDM logging 100 information
    history of PDM activate
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 1 list-access internet-traffic 0 0
    public static (inside, outside) access-list toOcean-nat 0 0
    group-access allowed to ping in external interface
    Timeout xlate 0:05:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
    H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
    Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
    Timeout, uauth 0:05:00 absolute
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + 3 max-failed-attempts
    AAA-server GANYMEDE + deadtime 10
    RADIUS Protocol RADIUS AAA server
    AAA-server RADIUS 3 max-failed-attempts
    AAA-RADIUS deadtime 10 Server
    AAA-server local LOCAL Protocol
    No snmp server location
    No snmp Server contact
    SNMP-Server Community public
    No trap to activate snmp Server
    enable floodguard
    Permitted connection ipsec sysopt
    Crypto ipsec transform-set esp ocean - esp-md5-hmac
    toOcean 20 ipsec-isakmp crypto map
    card crypto toOcean 20 match address gift-to-ocean-vpn
    card crypto toOcean 20 peers set ocean-pix-outside
    Ocean toOcean 20 transform-set card crypto
    toOcean interface card crypto outside
    ISAKMP allows outside
    ISAKMP key * address ocean-pix-outside netmask
    ISAKMP keepalive 60
    part of pre authentication ISAKMP policy 9
    encryption of ISAKMP policy 9
    ISAKMP policy 9 md5 hash
    9 2 ISAKMP policy group
    ISAKMP policy 9 life 86400
    Telnet inside
    Telnet inside
    Telnet timeout 30
    SSH inside
    SSH timeout 5
    management-access inside
    Console timeout 0
    dhcpd address - inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd outside auto_config
    dhcpd allow inside
    Terminal width 80
    Don - pix #.


    I couldn't be entirely on the money here.

    But I believe that DPD is not sent, unless there is no traffic back for a period of time.

    You should have 1 missed keepalive followed by 5 aggressive testing. If your settings there should be an interruption of the connection of some 01:10 + variance

    Normally, no timeout should apply to a L2L tunnels.

    If you want to see a reason for tunnel having fallen, I'm afraid it would get debugs the disconnection.


Maybe you are looking for