Internet access via VPN

Unanswered Question
May 3rd, 2008

Hi all...

Friends, I have 2 ASA FW 5510, and 5505. First one ASA (5510) is main. This ASA have access to internet, and second one is only just for VPN (site-to-site) connection with ASA 5510. Now i want users from ASA 5505 have access to internet, but only VIA ASA FW 5510. for example, if user from inside network of ASA 5505 want to open web-site it has to go through the ASA fw 5510 outside dafault gateway... ??? Sorry for my poor English ... hope i write Pretty Clear to understand ... )))))

Regards ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sat, 05/03/2008 - 08:53


Some parts of your question I think that I understand and some parts I do not. I understand that there are 2 ASA and I understand that the ASA5510 is main and that ASA5505 is for VPN. I understand that you want users who establish VPN sessions to the ASA5505 to have to go through the ASA5510 to get to the Internet.

But I do not understand the topology of the network and how the ASA are connected. Do both of the ASA have their own Internet connection? Or is the ASA5505 connected behind the ASA5510 (Internet traffic comes into 5510 and VPN traffic passes through it to the 5505)? Are the ASA directly connected by some Ethernet/FastEthernet or is there some layer 3 device (router) which connects them? If we knew this we might be able to give better answers.

But not knowing that I will share a few ideas. If the ASA5505 is connected behind the ASA5510 then it is easy since the ASA5510 is the gateway to the Internet.

If the ASA5505 has its own separate Internet connection then it becomes a bit more complicated. I believe that you could accomplish what you want by configuring the default route on the ASA5505 to point to the inside interface of the ASA5510. That way any VPN user traffic headed to the Internet would be forwarded through the ASA5510. This would require that the ASA5505 have a static route for each of the remote site to site peers pointing to its Internet interface. This would allow the ASA5505 to route any VPN peer to peer traffic directly through the Internet but would route all other Internet traffic through the ASA5510.

If these alternatives do not answer your question then perhaps you can clarify some aspects of your situation.



batumibatumi Sun, 05/04/2008 - 00:10

Rich, great TNX for UR reply... Its very kind form UR side.

And now what about my topology. ASAs are situated in a different citys. Behinde of the ASAs is standing ISA 2006 (I know ISA well and with ISA no problem). Nowadays ASA 5505 may to say that is just used for VPN connection with ASA 5510. VPN tunnel works fine.

Both devices have public IPs and gateways. I could to config on ASA 5505 outside interface PAT, add default route in the routing and they will have internet (pritty simple). But that firm's manager wants that inside users from ASA 5505 to have access in Internet via VPN (to go to the internet with ASA 5510 gateway)...

I'm configuring it with ASDM... and what i have to do ... ? tomorrow i have to accomplish this task... Need UR advice ...

rkalia1 Sun, 05/04/2008 - 13:10

put following command on 5510 :

same-security-traffic permit intra-interface

This will allow the 5505 VPN users to send traffic out to the internet through the same interface from where they enter 5510. This is called hairpinning.

Richard Burts Sun, 05/04/2008 - 17:45


If you read carefully the original post Giorgi says that he wants VPN users on 5505 to access the Internet via the 5510:

Now i want users from ASA 5505 have access to internet, but only VIA ASA FW 5510.

Therefore hairpinning on the 5505 is not the answer that he needs.



batumibatumi Sun, 05/04/2008 - 22:16

Rick is absolute right.

I want exactly that, what Rick said.

Does anybody have any more ides ??? plz, somebody advice me what to do ...


Richard Burts Mon, 05/05/2008 - 04:22


It complicates the issue if the ASAs are in different cities. For users in the city where the ASA5505 is located, how do they get to the Internet? If their Internet access is through the ASA5510 then my suggestion of configuring the ASA5505 with its default route pointing out the inside interface (toward the ASA5510) may work - it would require configuring static routes for each of the LAN to LAN peers pointing out the outside interface. If users in the city of the ASA5505 get Internet access through the ASA5505 then I do not see any way to have VPN users be directed to the ASA5510.




This Discussion