Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Accessing Internet from DR site through main site

Hi friends,

An unusual but very interesting question on accessing Internet after passing through 2 Firewalls for the DR site. Please find enclosed the diagram depicting the network.

Both firewalls on Main site and DR site are connected via a Site-to-Site VPN.

The Main site has Internet access. The DR site needs Internet access through the Main site. The Branch VLAN interface of Main site ASA 5540 connects to the DMZ interface of the ASA 5530 in DR site (Since there were few interfaces available, I had to use VLAN interface).

The Site-to-Site VPN tunnel is brought up whenever inside network of one site tries to reach inside network of other site. Though the Service provider provides a VPN, we still rely on our own VPN.

All inside networks of main site are PAT'ed to the outside interface IP for Internet access.

Now, can you please help me know the configuration checklist for DR access to Internet? I have added a few. If there is anything further required, please let me know.

A. DR site

1. Add Internet traffic (Source: / 24, Destination: any) to the interesting traffic definition to bring up the VPN tunnel

2. Add a default route on DR site ASA to point to the MPLS IP of Service Provider.

3. Do a nonat for all Internet traffic on the ASA (nat 0 any)

4. COnfigure access list and apply it on inside direction of DMZ interface. The access list is to allow all traffic from any (Internet) to network)

B. Main site

1. Configure access list (Permit ip any) and associate it with Branches VLAN interface (inside direction)

2. Add a translation for DR site : nat (BRANCHES) 1 and use an associating global statement

I would also like to know if there is any way to keep the IPSec VPN tunnel up and running all the time?

Thanks a lot


New Member

Re: Accessing Internet from DR site through main site

Hi friends,

Sorry if my post was too lengthy. But I just wanted to make sure that I give you the full picture.

Anyways, to make it short, I just wanted to know what are the requirements for a host to access Internet after passing through 2 firewalls connected via Site-to-Site VPN.

Thanks a lot


CreatePlease to create content