Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
1
Replies

routing the internet just one type of clients

Mihai Ion
Level 1
Level 1

‎02-03-2014 01:34 PM

Hello

I have two asa 5505 configured in a site to site VPN .

Behind ASA2, i have two types of clients. Let's say A type and B type.

I would like to forward all the type A clients internet to go through ASA1, but I want the type B clients to go into the internet directly.

Is this possible?

Thanks

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2014 03:06 PM

Hi,

Well essentially in your case the Type B Clients would not be an issue if they are using the local Internet connection of the ASA2.

The Type A clients would however need to have all their traffic forwarded through the L2L VPN connection. Therefore the ASA2 Crypto ACL for the L2L VPN towards ASA1 should have a line with

access-list L2LVPN permit ip any

You would also have to have NAT0 configuration for this network towards any destination address. The configuration format for this depends on your current software version.

Software 8.2 (or below)

access-list INSIDE-NAT0 permit ip any

nat (inside) 0 access-list INSIDE-NAT0

The above configuration naturally depends on if you already have a NAT0 ACL/configuration for the source interface. Then you naturally use the existing ACL.

Software 8.3 (and above)

object network TYPE-A-CLIENT

subnet

nat (inside,outside) source static TYPE-A-CLIENT TYPE-A-CLIENT

The type of configuration (as I said) depends on the software version you are running on the ASAs

On the ASA1 you would naturally also require the Crypto ACL addition but in reverse

access-list L2LVPN permit ip any

You would also have to make sure that you have the following command configured for the traffic to be able to come in through your ASA1 external interface and leave through it

same-security-traffic permit intra-interface

The ASA1 would also require Dynamic PAT for the users connecting from ASA2 Type A Client network. The configuration needed again depends on your ASAs software version.

Software 8.2 (or below)

If we presume the ASA1 already has this configuration (or something similiar)

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

Then you would need to add

nat (outside) 1

Software 8.3 (or above)

You should be able to simply add this

object network TYPE-A-CLIENT-PAT

subnet

nat (outside,outside) dynamic interface

Naturally the configurations you might need might differ slightly depending on the software level you are using and how you have configured the ASAs so far. Hard to say as we dont know neither of these things.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents