Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing the internet just one type of clients


I have two asa 5505 configured in a site to site VPN .

Behind ASA2, i have two types of clients. Let's say A type and B type.

I would like to forward all the type A clients internet to go through ASA1, but I want the type B clients to go into the internet directly.

Is this possible?


Everyone's tags (5)
Super Bronze

routing the internet just one type of clients


Well essentially in your case the Type B Clients would not be an issue if they are using the local Internet connection of the ASA2.

The Type A clients would however need to have all their traffic forwarded through the L2L VPN connection. Therefore the ASA2 Crypto ACL for the L2L VPN towards ASA1 should have a line with

access-list L2LVPN permit ip any

You would also have to have NAT0 configuration for this network towards any destination address. The configuration format for this depends on your current software version.

Software 8.2 (or below)

access-list INSIDE-NAT0 permit ip any

nat (inside) 0 access-list INSIDE-NAT0

The above configuration naturally depends on if you already have a NAT0 ACL/configuration for the source interface. Then you naturally use the existing ACL.

Software 8.3 (and above)

object network TYPE-A-CLIENT


nat (inside,outside) source static TYPE-A-CLIENT TYPE-A-CLIENT

The type of configuration (as I said) depends on the software version you are running on the ASAs

On the ASA1 you would naturally also require the Crypto ACL addition but in reverse

access-list L2LVPN permit ip any

You would also have to make sure that you have the following command configured for the traffic to be able to come in through your ASA1 external interface and leave through it

same-security-traffic permit intra-interface

The ASA1 would also require Dynamic PAT for the users connecting from ASA2 Type A Client network. The configuration needed again depends on your ASAs software version.

Software 8.2 (or below)

If we presume the ASA1 already has this configuration (or something similiar)

global (outside) 1 interface

nat (inside) 1

Then you would need to add

nat (outside) 1

Software 8.3 (or above)

You should be able to simply add this

object network TYPE-A-CLIENT-PAT


nat (outside,outside) dynamic interface

Naturally the configurations you might need might differ slightly depending on the software level you are using and how you have configured the ASAs so far. Hard to say as we dont know neither of these things.

Hope this helps

- Jouni