02-22-2008 08:34 AM - edited 03-11-2019 05:07 AM
Hi, I have a Cisco 5520. I have managed to use the Cisco VPN Client to connect to the Outside interface and communicate with the servers on the LAN. My VPN pool is 192.168.8.x/24 and I simply added a rule on the Outside:
source = 192.168.8.x/24 destination = any
protocol = ip
then a rule on the Inside:
source = any destination = 192.168.8.x/24
protocol = ip
Now I just need to work out who to get to the Internet and the DMZ I have on this ASA.
The Internet is just through the Outside of the ASA's Interface and the DMZ of a giga port on the ASA.
Let me know what info you need.
Thanks
Solved! Go to Solution.
02-22-2008 11:33 AM
Internet-
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1 192.168.8.0 255.255.255.0
DMZ Access-
access-list dmz_nat0_outbound extended permit ip
nat (dmz) 0 access-list dmz_nat0_outbound
02-22-2008 11:21 AM
Hi Andy
Please attach your running-config.
Do you want your VPN clients to connect internet via VPN tunnel over ASA or you want them to connect internet via their local gateway and utilize the local bandwidth instead main office's?
Regards
02-22-2008 11:31 AM
Hi there, I'll get the config over when I get it, however it's huge, do you need just part of it?
And yes their internet traffic has to go over the tunnel to the ASA.
02-22-2008 11:33 AM
Internet-
same-security-traffic permit intra-interface
global (outside) 1 interface
nat (outside) 1 192.168.8.0 255.255.255.0
DMZ Access-
access-list dmz_nat0_outbound extended permit ip
nat (dmz) 0 access-list dmz_nat0_outbound
02-22-2008 11:52 AM
Andy,
You can exclude the outside_access_in and inside_access_in access-lists, exclude object groups and names. Also use attach file feature and upload your config as a txt file.
Regards
02-22-2008 01:11 PM
02-22-2008 01:16 PM
Add..
access-list DMZ2_nat0_outbound extended permit ip any 192.168.8.0 255.255.255.0
access-list DMZ_inbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0
access-list DMZ4_outbound_nat0_acl outside extended permit ip any 192.168.8.0 255.255.255.0
same-security-traffic permit intra-interface
nat (outside) 1 192.168.8.0 255.255.255.0
02-25-2008 10:54 AM
I will try this tomorrow, for my understading what does "same-security-traffic permit intra-interface" do?
Also could "nat (outside) 1 192.168.8.0 255.255.255.0"
be
"nat (VPN_Client) 1 192.168.8.0 255.255.255.0"
so I know what it is? or does it have to be outside?
02-25-2008 11:30 AM
same-security-traffic permit intra-interface allows traffic to enter and exit the same interface. Since you want your vpn clients to access the internet via the outside interface of the ASA, this traffic will be bouncing off the outside interface.
No, it must be...
nat (outside) 1 192.168.8.0 255.255.255.0
02-26-2008 02:07 AM
Thanks for your inforamtive replies they are a great help I'm going to try this today, what does the 1 mean in the "nat (outside) 1 192.168.8.0 255.255.255.0
"?
02-26-2008 03:10 AM
Hi I get this eror:
ASA(config)# nat (outside) 1 192.168.8.0 255.255.255.0
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
ASA(config)#
02-26-2008 05:44 AM
The "1" ties the statement to the "1" in your global (outside) 1 interface command.
The message you are getting is just a warning, it's not an error, and you do not need the outside keyword. Should work fine.
02-26-2008 06:18 AM
Hi, it's not working yet, but I realised I didn't add:
same-security-traffic permit intra-interface
global (outside) 1 interface
Only:
nat (outside) 1 192.168.8.0 255.255.255.0
Do I need the other 2 lines?
02-26-2008 06:24 AM
Yes you need both of those.
02-27-2008 08:22 AM
Damn your good that fixed it all!
I tried similar stuff through the ASDM, but couldn't find the "same-security-traffic permit intra-interface "
global (outside) 1 interface was already on the ASA
also is "access-list dmz_nat0_outbound extended permit ip
nat (dmz) 0 access-list dmz_nat0_outbound " basically and exempt rule?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: