Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow Internet from remote site -site VPN through ASA at Corp office

We have a client that is currently using PIX 506E at the Main office and at several sites doing site-to-site VPN. All of the users at the Remote sites access the Internet through the Main site, this is currently being handled by a Linux firewall. The client would like to retire the Linux firewall and just use one firewall for the VPNs and Internet access, along with potential URL filtering at the Main office. Is this support configuration on an ASA?

Cisco Employee

Re: Allow Internet from remote site -site VPN through ASA at Cor

I think this should be possible with the ASA using the permit intra interface command.

What you need is to tunnel all traffic from the remote locations to the ASA and then configure permit intra interface and then have the ASA NAT to a valid routable IP for internet access. And then use Websense or N2H2 to do content filtering.

Please refer the below URL, even though this is for VPN Client, I am sure that you can apply the same concept to the L2L Tunnel as well.

But, I would strongly recommend that you get a ASA if possible and test it thoroughly before migrating over. if you are interested, you may want to look at the new ASA 5580 :-)

Happy Testing.



** Please rate all helpful posts **


Re: Allow Internet from remote site -site VPN through ASA at Cor

Keep in mind the following information:

1- At the remote site, you need to specify

the following as your intesting traffics.

For example, let say your remote location

has a network of

access-list IPSEC permit ip any

crypto map ipsec 10 match IPSEC

This will allow traffics from the remote

location to be encrypted when going to the

CORP ASA. This configuration will go to ALL

remote location devices.

By the way, I described this on

another similar post not too long ago.

If you search for cisco24x7, you will see

that post.

CCIE Security