How to allow Internet Access to Second Network

Posted on 2008-11-06
Last Modified: 2008-11-11
We are deploying ASA 5505 to home users who currently have a Internet connection along with a wireless router(not provided by us)  I looking for a way to VLAN a port on the ASA and provide Internet to the Wireless device.  I have the basic license.
ASA Version 8.0(3) 


hostname caurog-ASA1

domain-name altus.local

enable password 2hjkEuGBa9oJjIHZ encrypted






name Wireless


interface Vlan1

 nameif inside

 security-level 100

 ip address 


interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 


interface Vlan12

 no forward interface Vlan1

 nameif home  

 security-level 50

 ip address 


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1

 switchport access vlan 12


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone est 5

dns server-group DefaultDNS


 domain-name altus.local

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list _vpnc_no_nat_acl extended permit ip any 

access-list _vpnc_no_nat_acl extended permit ip any 

access-list 100 extended permit icmp any any echo-reply 

access-list 100 extended permit icmp any any source-quench 

access-list 100 extended permit icmp any any unreachable 

access-list 100 extended permit icmp any any time-exceeded 

access-list home_nat_outbound extended permit ip Wireless any 

access-list outside_access_in extended permit ip any 

pager lines 24

logging enable

logging console emergencies

logging monitor emergencies

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu home 1500 

icmp unreachable rate-limit 1 burst-size 1

icmp permit any traceroute inside

icmp permit any traceroute outside

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http outside

http NMKT_DATA inside

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet inside

telnet inside

telnet outside

telnet timeout 5

ssh scopy enable

ssh inside

ssh inside

ssh outside

ssh timeout 5 

console timeout 0

management-access inside

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside


dhcpd address home

dhcpd dns interface home

dhcpd option 3 ip interface home

dhcpd enable home


vpnclient server

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup RemoteASAUsers password ********

vpnclient username caurog password ********

vpnclient management tunnel NMKT_DATA

vpnclient enable

threat-detection basic-threat

threat-detection statistics access-list

username caurog password OOoBaeO.IwHGNokO encrypted

username monit password FOD079G5n9CjnitT encrypted

username altusadmin password ZuM0kD/QGQyKa2Je encrypted


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global

prompt hostname context 


: end

Open in new window

Question by:altusadmin2
    LVL 2

    Expert Comment

    If I'm understanding your question correctly, you're on the right track.
    1)You need a vlan interface on the same 'network' as your wireless.  From your network names at the top of the config, it looks like the wireless devices are on the network (presumably subnet mask  If you're using an external wireless router connected to the pix, give the 'outside/internet' interface on the router an address on an address like, with a gateway of

    2)Configure an access-list to allow/restrict the traffic from the wireless router as you see fit, and apply it inbound on that vlan interface in 1).

    That should do it....

    Accepted Solution

    I had missed a dynamic NAT for the Home to Outside

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    increase internet speed 3 38
    wifi turns off automatically in window 10 40 89
    pfSense IP Helper 4 30
    Cisco layer 3 ring topology 1 24
    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now