U-turn on ASA 8.3

Unanswered Question
Jun 3rd, 2010
User Badges:
  • Green, 3000 points or more

Hi,


I have this client that needs to configure u-turn for the VPN client traffic to get out to the Internet on the ASA.

I have done this on previous versions, i.e (assuming the VPN pool is 192.168.1.x)


nat (outside) 5 192.168.1.0 255.255.255.0 outside

global (outside) 5 interface

same-security-traffic permit intra-interface


My question is in 8.3

How is the NAT migration for the above configuration to work on 8.3?


Thank you,


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 19:12
User Badges:
  • Green, 3000 points or more

Don't worry, finally figure it out.


For the VPN pool: 192.168.115.x


object network obj-192.168.115.0
nat (outside,outside) dynamic interface


Federico.

Federico Coto F... Thu, 06/03/2010 - 19:50
User Badges:
  • Green, 3000 points or more

Hi,


On this same question...

I'm trying to block certain web sites for the remote VPN clients on the ASA using MPF.


Sample config:


regex block1 "facebook\.com"


class-map type inspect http match-any block-url-class
match request header host regex block1


policy-map type inspect http block-url-policy
parameters
class block-url-class
  drop-connection log


policy-map global_policy
class inspection_default
  inspect http block-url-policy


service-policy global_policy global

This works for internal users, but not for the remote VPN clients that terminate on the ASA and then are rerouted to the Internet by the ASA.

Does the application inspection not apply for u-turn traffic like this? Is there a way to make it work?


Thank you,


Federico.

Federico Coto F... Thu, 06/03/2010 - 21:14
User Badges:
  • Green, 3000 points or more

I needed to apply the service-policy to the outside interface and not ''global''


Federico.

Actions

This Discussion