Solved

ASA 5505 Internet Access with simultaneous VPN connection

Posted on 2009-07-14
8
410 Views
Last Modified: 2012-05-07
I'm pretty sure the answer to this question is "no", but thought I'd throw it out there anyway. I have one ASA 5505 configured with a base license using a VPN tunnel to a remote site. All is well. But I was wondering if I could also configure the ASA for internet use, as well? I've tried:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0

But as soon as I enter the NAT command, it kills the VPN tunnel completely...which I can't have.

Wondering if it would be an access list of some sort?

I've attached the config for review. Any suggestions would be appreciated.
internet-asa.txt
0
Comment
Question by:sarahbobby
  • 4
  • 2
  • 2
8 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24854152
Hi,

Use the following:

nat (inside) 0 access-list inside_nat0_outbound

access-list  inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
0
 
LVL 13

Accepted Solution

by:
3nerds earned 125 total points
ID: 24854172
If I understand you correctly you have a site to site vpn and ti works you also want to be able to access the internet through this asa at the same time. If that is the question the answer is yes.

You are on the right track above but you have to add additional no nat pieces so the vpn keeps passing traffic.

access-list nonat extended permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0 ----> x is your local lan subnet, and y is the remote lan subnet.

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0

Good Luck,

3nerds
0
 

Author Closing Comment

by:sarahbobby
ID: 31603478
Magic. That worked like a champ.

I only slightly understand why this allowed the web traffic to work, but that's due to my inexperience. I'll have to read up on nonat statements to get a better handle on how/why this allowed the traffic through.

Thanks!!
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24859420
Am I wrote wong??
As I see I selved your problem correctly, but you don't ranked me!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:3nerds
ID: 24859461
I guess he preferred my answer, it happens.

Regards,

3nerds
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24859502
Yes, but I wrote it to earlier -:)

0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24859522
Congralutions 3nerds:)
0
 

Author Comment

by:sarahbobby
ID: 24859556
3nerds provided a bit more detail and guidance on what specific steps I was to take to solve my issue, which is why I chose that answer. No disrespect intended to ikalmar at all, and I truly appreciate the assistance. I guess next time I'll accept multiple answers.....
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now