Daily Archives: 20/12/2012

Double NAT on ASA 8.4 ? Thanks for GNS3

Yesterday, I received a task at work to resolve an VPN issue. It wasn’t a straight forward solution. The client want to create a new internet link via a new ASA firewall to connect to a pptp sitting inside of the network. The default route is still going to their old internet link. One suggestion is to create a double nat environment, but how? Thanks for GNS3, I have created a lab using GNS3 with ASA and Cisco 7200 to simulate the situation and was able to find a solution.

So what need to be done is to create double NAT on the ASA, in this way, I don’t have to change the default route.

Simple Network Diagram

C1 is the VPN Client, R1 is the ISP router, ASA is the firewall, R2 is the Core Switch and R3 is the PPTP server.

here are the interface configurations:
R1 G1/0 :
R1 G2/0 :
C1 :
ASA: G1/0 : (Ouside)
ASA: G2/0 : (Inside)
R2: G1/0 :
R2: G2/0 :
R3: G1/0 : (PPTP SERVER)
R3: VPN POOL : –

R1 Configuration

int gi1/0
ip add
int gi2/0
ip add

R2 Configuration

int gi1/0
ip add
int gi2/0
ip add
ip route

R3 Configuration

int gi1/0
ip add

ip route

aaa new-model

aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local

vpdn-group 1
! Default PPTP VPDN group
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15

interface Virtual-Template1
ip address
peer default ip address pool vpnpool
no keepalive
ppp authentication pap chap ms-chap ms-chap-v2
ip local pool vpnpool


interface GigabitEthernet0
nameif Outside
security-level 0
ip address
interface GigabitEthernet1
nameif Inside
security-level 100
ip address
object network pptp_inside
object network NAT_POOL
object service pptp
service tcp destination eq pptp
object network Inside-network
access-list Outside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip any any
nat (Outside,Inside) source dynamic any NAT_POOL destination static interface pptp_inside service pptp pptp
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 1
route Inside 1
policy-map global-policy
class class-default
inspect pptp
set connection advanced-options tcp-state-bypass
service-policy global-policy global

What I want to achieve is from VPN Client ( to connect (, it will be translated to (192.168.11.x) and connect to PPTP will be able to setup, while it won’t be affect people connect via the existing internet link.