Unanswered Question


Newbie here!  Anyway, I have a simple, but yet in my mind a complex question.

Here's the scenario:

I've got an ASA appliance that is running in parallel with my corporate Internet Gateway Firewall.  I'm trying to turn the ASA into a VPN terminating device for L2L, and IPSEC-RA.  L2L works great.  I do have a problem with the IPSEC-RA.  I'm able to connect to login to the appliance, obtain an IP address from the local pool, access all of the corporate network.

Here's what I can't do:

Access the Internet, or access the any of my static routes within my internal routers.

For Internet access, my main goal is to have all of my users traffic to go out to my corporate Internet GW firewall once they're connected to the VPN.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 03/17/2010 - 05:17

Disable split tunneling, and configure your corporate internet gw firewall as the tunnel default gateway on the ASA.

Assuming your inside interface is called "inside", on the ASA:

route inside 0 0 tunneled


I guess it would help if I posted a snippet of my config, also, please see my mini diagram:

interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.x.x.101 standby 10.x.x.102

interface GigabitEthernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address 173.x.x.10 standby 172.x.x.11

same-security-traffic permit intra-interface

ip local pool webvpn_pool mask

access-list no_nat extended permit ip any

global (outside) 1 interface
nat (outside) 0 access-list no_nat

If I add the nat (inside) 1 0 0 or nat-control,not only can't I connect to the Internet and remote lan, but I'm unable to access my Internal network at all.

route outside 173.x.x.1 1

route inside 10.x.x.1 tunneled

route inside 137.x.x.0 10.x.x.1 <---remote lan

Jennifer Halim Wed, 03/17/2010 - 20:12

Instead of configuring the following nat statement: "nat (outside) 0 access-list no_nat", you should configure the following:

access-list no_nat permit ip any

nat (inside) 0 access-list no_nat

I assume that both your Internet Gateway firewall and the internal router has route for network pointing towards the ASA inside interface (10.x.x.101)


This Discussion