Best Solution for Internet access from internal VLANs

Posted on 2011-04-25
Last Modified: 2012-05-11
Someone of a noob with network design and ASAs. I have a 5520 with internal VLANs  that need access out to the internet. I have a NAT rule in place to allow internet out of one of my inside networks. However if I add a similar NAT rule to allow the another VLAN I can't access hosts on that VLAN from out site-site tunnels that terminate on the outside interface. Whats my best option here?

ASA Version 8.3(2) 
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address
interface GigabitEthernet0/1.1
 vlan 205
 nameif Dev
 security-level 50
 ip address 
interface GigabitEthernet0/1.2
 vlan 206
 nameif QA
 security-level 80
 ip address 
interface GigabitEthernet0/2
 nameif DMZ
 security-level 10
 ip address 
interface GigabitEthernet0/3
interface Management0/0
 nameif management
 security-level 100
 no ip address

same-security-traffic permit intra-interface

pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging trap notifications
logging asdm informational
logging host Inside
mtu outside 1500
mtu Inside 1500
mtu Dev 1500
mtu QA 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,DMZ) source static any any destination static out-console dmz-console service SSH SSH 
nat (Inside,outside) source static _bo3 _bo3 destination static _dc2 _dc2 description Site to Site VPN 
nat (Inside,outside) source static bo3_admin bo3_admin destination static bo3_vpn bo3_vpn description Access to Mgmt network over VPN
nat (Inside,outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 description Site to Site VPN
nat (Inside,outside) source dynamic any out-console description Internet access NAT all outbound traffic to an external IP
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
access-group Dev_access_in in interface Dev per-user-override
access-group QA_access_in in interface QA per-user-override
route outside 1
route outside 5
route outside 5
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

aaa authentication ssh console LOCAL 
aaa authentication match Dev_authentication Dev MS-RADIU
aaa authentication match QA_authentication QA MS-RADIU
aaa authentication listener http Dev port www 
aaa authentication listener http QA port www 
http server enable
http Inside
http Inside
http Inside
http Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set -aes esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set -sha esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 
crypto map outside_map 1 set transform-set -aes
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 
crypto map outside_map 2 set transform-set -aes
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign dhcp
telnet timeout 5
ssh Inside
ssh Inside
ssh Inside
ssh Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcprelay server Inside
dhcprelay enable Dev
dhcprelay enable QA
dhcprelay setroute Dev
dhcprelay setroute QA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source Inside prefer
ntp server source Inside
tftp-server Inside /configs

Open in new window

Question by:SpanIT
    LVL 9

    Accepted Solution

    I see you left out you access-lists, but for starters, when you have a site to site and add subnets both sides need to be adjusted to include the additional networks as interesting traffic,


    if you had say and added you need to let your asa know that traffic from the 2.0 network should traverse the tunnel as well as the other side being adjusted to do the same.

    Than you will have to adjust you no nat statement for the VPN traffic to make sure that nat isn't being attempted on the traffic destined for the other sites.

    These changes must be made for every subnet/network you add.  


    Author Comment

    Thanks, yes, I need a NAT exemption for traffic that is bound for the outside interface where the site to sites are terminated. I have NAT exemption rules now, but only matching on the inside interface.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now