Solved: ASA site to site tunnel with U turn config

forman102 · ‎06-07-2010

Hello,

I have site to site VPN tunnel running between ASA 5510 (8.2) and Cisco PIX506 (remote site). I need to enable users in remote office to surf the net. I was looking into the documentaion here and enabled traffic to enter/exit the same interface on ASA (same-security-traffic permit intra-interface), however there's something still missing. I'm not sure how to troubleshoot this issue...

ASA is configured to NAT inside clients to one public IP (VPN tunnel also terminates to this interface)

ASA:

global (outside) 1 208.x.x.x
nat (inside) 0 access-list No-Nat-VPN
nat (inside) 1 0.0.0.0 0.0.0.0

So when the packets to Internet arrives thru the tunnel, it needs to be sent out on the same interface and NATted (but to get tunnel to work I had to exempt intrested traffic from NAT). Is this causing a problem?

Federico Coto Fajardo · ‎06-07-2010

Hi,

The NAT rules should be like this:

global (outside) 1 208.x.x.x
nat (outside) 1 x.x.x.x mask --> VPN pool

With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-08-2010

Correct.

You should see translations for your remote network.

i.e

sh xlate

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-07-2010

Hi,

The NAT rules should be like this:

global (outside) 1 208.x.x.x
nat (outside) 1 x.x.x.x mask --> VPN pool

With the above, you're NATing the VPN clients when going out to the Internet.

You can still leave the NONAT ACL for the VPN traffic itself.

Federico.

forman102 · ‎06-08-2010

Hi Federico,

You are reffering to VPN clients... does the same logic pertain to site to site tunnels? Assuming that my remote site network in VPN tunnel config is 192.168.10.0/24, what commands should I issue to achive appropriate NAT config (U turn)?

Will these statements "NAT" traffic to Internet from my remote network, as you suggested?


 hostname(config)# same-security-traffic permit intra-interface

hostname(config)# nat (outside) 1 192.168.10.0 255.255.255.0 


If so.. will traffic to Internet go over the tunnel? I'd like to have it this way.


thanks

Federico Coto Fajardo · ‎06-08-2010

Correct.

You should see translations for your remote network.

i.e

sh xlate

Federico.

forman102 · ‎06-11-2010

Tested and working.Thank you.

How could I redirect the Internet traffic to web filter connected directly to inside interface of ASA?

Federico Coto Fajardo · ‎06-11-2010

If the URL-filtering server is a websense or SmartFilter you can use the url-redirect feature on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html

Federico.

forman102 · ‎06-11-2010

This is 3rd party appliance connected directly to the ASA's inside int... is it possible to route internet traffic from the tunnel to go thru the web filtering appliance?

Federico Coto Fajardo · ‎06-11-2010

Unfortunately you can't do Policy-Based Routing on the ASA (or equivalent).

To redirect URL traffic will be using the link that I sent you or using WCCP (not sure if it will work for you), take a look:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/wccp.html

Federico.