ASA site to site tunnel with U turn config

Answered Question
Jun 7th, 2010
User Badges:

Hello,


I have site to site VPN tunnel running between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need to enable users in remote office to surf the net. I was looking into the documentaion here and enabled traffic to enter/exit the same interface on ASA (same-security-traffic permit intra-interface), however there's something still missing. I'm not sure how to troubleshoot this issue...


ASA is configured to NAT inside clients to one public IP (VPN tunnel also terminates to this interface)


ASA:

global (outside) 1 208.x.x.x                   
nat (inside) 0 access-list No-Nat-VPN    
nat (inside) 1 0.0.0.0 0.0.0.0


So when the packets to Internet arrives thru the tunnel, it needs to be sent out on the same interface and NATted (but to get tunnel to work I had to exempt intrested traffic from NAT). Is this causing a problem?

Correct Answer by Federico Coto F... about 7 years 1 month ago

Correct.


You should see translations for your remote network.

i.e

sh xlate


Federico.

Correct Answer by Federico Coto F... about 7 years 1 month ago

Hi,


The NAT rules should be like this:


global (outside) 1 208.x.x.x                   
nat (outside) 1 x.x.x.x mask -->  VPN pool


With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Federico Coto F... Mon, 06/07/2010 - 11:37
User Badges:
  • Green, 3000 points or more

Hi,


The NAT rules should be like this:


global (outside) 1 208.x.x.x                   
nat (outside) 1 x.x.x.x mask -->  VPN pool


With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.


Federico.

forman102 Tue, 06/08/2010 - 10:23
User Badges:

Hi Federico,


You are reffering to VPN clients... does the same logic pertain to site to site tunnels? Assuming that my remote site network in VPN tunnel config is 192.168.10.0/24, what commands should I issue to achive appropriate NAT config (U turn)?


Will these statements "NAT" traffic to Internet from my remote network, as you suggested?


hostname(config)# same-security-traffic permit intra-interface
hostname(config)# nat (outside) 1 192.168.10.0 255.255.255.0


If so.. will traffic to Internet go over the tunnel? I'd like to have it this way.


thanks






Correct Answer
Federico Coto F... Tue, 06/08/2010 - 10:28
User Badges:
  • Green, 3000 points or more

Correct.


You should see translations for your remote network.

i.e

sh xlate


Federico.

forman102 Fri, 06/11/2010 - 08:29
User Badges:

Tested and working.Thank you.

How could I redirect the Internet traffic to web filter connected directly to inside interface of ASA? 

forman102 Fri, 06/11/2010 - 09:40
User Badges:

This is 3rd party appliance connected directly to the ASA's inside int... is it possible to route internet traffic from the tunnel to go thru the web filtering appliance?

Actions

This Discussion