Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
4
Replies

Full tunnel internet access issue - ASA5505

Go to solution
Sam Byers
Level 1
Level 1

‎10-11-2013 10:39 AM

The SOHO side is an ASA 5505. The head end is an ASA 5505.

Code version on both is 8.2(5).

The VPN method is NEM.

Traffic can go from the inside network of the 5505, but it cannot go the internet. Specifically, anything on the "no nat acl," that gets automatically applied to a nat statement when the vpnclient is established, works. Anything else dies at the nat (inside) 1 0.0.0.0 0.0.0.0 statement.


What dictates that no nat acl that is applied to nat 0 on the 5505 when using NEM? I know it's in the config of the head end some where, but I'm not sure where.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Sam Byers

‎10-11-2013 11:10 AM

Hi,

I believe that in the current situation you would have to configure Dynamic PAT for the users on the central site for Internet traffic if all traffic is tunneled through the VPN connection.

You would essentially have to perform nat between "outside" and "outside" interface and enable the setting "same-security-traffic permit intra-interface".

NAT configuration might be something like

nat (outside) 1

If the following already exists

global (outside) 1 interface

I am still not sure what you meant with the original NAT0 question.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 10:55 AM

Hi,

I have not configured NEM Clients recently so I am a bit rusty.

What I do know is that we usually have the users behind NEM Clients use the Internet connection through the central site rather than local Internet connection (in one customers case its a requirement)

So you would probably have the chance to configure Dymamic PAT for the NEM Clients users on the central ASA or you might be able to configure some sort of Split Tunnel policy on the "group-policy" of this connection at the central ASA.

- Jouni

0 Helpful

Go to solution
Sam Byers
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 10:58 AM

Yes. Under the group policy the NEM clients are using, I selected "Tunnel All Networks." I assumed that meant a default route, so that everything would come through the central ASA.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Sam Byers

‎10-11-2013 11:10 AM

Hi,

I believe that in the current situation you would have to configure Dynamic PAT for the users on the central site for Internet traffic if all traffic is tunneled through the VPN connection.

You would essentially have to perform nat between "outside" and "outside" interface and enable the setting "same-security-traffic permit intra-interface".

NAT configuration might be something like

nat (outside) 1

If the following already exists

global (outside) 1 interface

I am still not sure what you meant with the original NAT0 question.

- Jouni

0 Helpful

Go to solution
Sam Byers
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 12:17 PM

Adding the NAT statement at the 5510 worked. I now understand that the traffic is coming into the outside interface of the 5510 and going out of that same interface.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents