Cisco HOW-TO‎ > ‎

ASA 5540 behind a NAT overloaded router, configured for client VPNs

The following devices are in this scenario:
  • An end-user device on a public network with the Cisco VPN client.
  • A Cisco 3845 router connected to a public network and a private network
  • A Cisco ASA 5540 firewall behind the router, configured with private networks.
Cisco 3845 base configuration
interface GigabitEthernet0/0
 description Outside interface
 ip address
 ip nat outside
interface GigabitEthernet0/1
 description Inside interface
 ip address
 ip nat inside
ip route
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit
Cisco ASA 5540 base configuration
interface GigabitEthernet0/0
 nameif eth0
 security-level 0
 ip address
Cisco 3845 configuration
ip nat inside source static esp interface gigabitEthernet 0/0
ip nat inside source static udp 500 interface gigabitEthernet 0/0 500
ip nat inside source static udp 4500 interface gigabitEthernet 0/0 4500
ip nat inside source static tcp 22 1022 extendable
 Cisco ASA 5540 configuration
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
isakmp enable eth0
ip local pool vpnpool mask
crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac
tunnel-group vpn-tunnel-group type ipsec-ra
tunnel-group vpn-tunnel-group general-attributes
address-pool vpnpool
tunnel-group vpn-tunnel-group ipsec-attributes
pre-shared-key Test9847
crypto dynamic-map dynmap 1 set transform-set vpn-transform
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface eth0
 Configuring the VPN client
Group Authentication Name: vpn-tunnel-group
Password: Test9847