02-03-2014 01:34 PM
Hello
I have two asa 5505 configured in a site to site VPN .
Behind ASA2, i have two types of clients. Let's say A type and B type.
I would like to forward all the type A clients internet to go through ASA1, but I want the type B clients to go into the internet directly.
Is this possible?
Thanks
02-03-2014 03:06 PM
Hi,
Well essentially in your case the Type B Clients would not be an issue if they are using the local Internet connection of the ASA2.
The Type A clients would however need to have all their traffic forwarded through the L2L VPN connection. Therefore the ASA2 Crypto ACL for the L2L VPN towards ASA1 should have a line with
access-list L2LVPN permit ip
You would also have to have NAT0 configuration for this network towards any destination address. The configuration format for this depends on your current software version.
Software 8.2 (or below)
access-list INSIDE-NAT0 permit ip
nat (inside) 0 access-list INSIDE-NAT0
The above configuration naturally depends on if you already have a NAT0 ACL/configuration for the source interface. Then you naturally use the existing ACL.
Software 8.3 (and above)
object network TYPE-A-CLIENT
subnet
nat (inside,outside) source static TYPE-A-CLIENT TYPE-A-CLIENT
The type of configuration (as I said) depends on the software version you are running on the ASAs
On the ASA1 you would naturally also require the Crypto ACL addition but in reverse
access-list L2LVPN permit ip any
You would also have to make sure that you have the following command configured for the traffic to be able to come in through your ASA1 external interface and leave through it
same-security-traffic permit intra-interface
The ASA1 would also require Dynamic PAT for the users connecting from ASA2 Type A Client network. The configuration needed again depends on your ASAs software version.
Software 8.2 (or below)
If we presume the ASA1 already has this configuration (or something similiar)
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Then you would need to add
nat (outside) 1
Software 8.3 (or above)
You should be able to simply add this
object network TYPE-A-CLIENT-PAT
subnet
nat (outside,outside) dynamic interface
Naturally the configurations you might need might differ slightly depending on the software level you are using and how you have configured the ASAs so far. Hard to say as we dont know neither of these things.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide