U-turn on ASA 8.3

Unanswered Question
Jun 3rd, 2010


I have this client that needs to configure u-turn for the VPN client traffic to get out to the Internet on the ASA.

I have done this on previous versions, i.e (assuming the VPN pool is 192.168.1.x)

nat (outside) 5 outside

global (outside) 5 interface

same-security-traffic permit intra-interface

My question is in 8.3

How is the NAT migration for the above configuration to work on 8.3?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Thu, 06/03/2010 - 19:12

Don't worry, finally figure it out.

For the VPN pool: 192.168.115.x

object network obj-
nat (outside,outside) dynamic interface


Federico Coto F... Thu, 06/03/2010 - 19:50


On this same question...

I'm trying to block certain web sites for the remote VPN clients on the ASA using MPF.

Sample config:

regex block1 "facebook\.com"

class-map type inspect http match-any block-url-class
match request header host regex block1

policy-map type inspect http block-url-policy
class block-url-class
  drop-connection log

policy-map global_policy
class inspection_default
  inspect http block-url-policy

service-policy global_policy global

This works for internal users, but not for the remote VPN clients that terminate on the ASA and then are rerouted to the Internet by the ASA.

Does the application inspection not apply for u-turn traffic like this? Is there a way to make it work?

Thank you,



This Discussion