I was hoping to allow my local LAN (192.168.60.x) the ability to access the internet through my ASA 5505 while still maintaining the VPN tunnel that is required. I just recently added a number of access-lists to my config, which resulted in internet access being cut off. Before the access lists were added, I had some nonat statements in the config which did allow internet access.
Clearly there is an access list line that I'm not adding. I thought about:
access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any
But was reluctant as I didn't want to open up too much. Was hoping to get an opinion from someone more knowledgeable than myself.
Any thoughts would be much appreciated.
Config file attached.
Allow specific ports to remote vpn 1.
Deny everything else to remote vpn 1.
Allow specific ports to remote vpn 2.
Deny everything else to remove vpn 2.
Allow tcp 80, 443, udp 53 access to any.
You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443
This will allow you to surf HTTP and HTTPS. You may need to add DNS too.
Hope that helps.