Best Solution for Internet access from internal VLANs

Posted on 2011-04-25
Medium Priority
Last Modified: 2012-05-11
Someone of a noob with network design and ASAs. I have a 5520 with internal VLANs  that need access out to the internet. I have a NAT rule in place to allow internet out of one of my inside networks. However if I add a similar NAT rule to allow the another VLAN I can't access hosts on that VLAN from out site-site tunnels that terminate on the outside interface. Whats my best option here?

ASA Version 8.3(2) 
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address
interface GigabitEthernet0/1.1
 vlan 205
 nameif Dev
 security-level 50
 ip address 
interface GigabitEthernet0/1.2
 vlan 206
 nameif QA
 security-level 80
 ip address 
interface GigabitEthernet0/2
 nameif DMZ
 security-level 10
 ip address 
interface GigabitEthernet0/3
interface Management0/0
 nameif management
 security-level 100
 no ip address

same-security-traffic permit intra-interface

pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging trap notifications
logging asdm informational
logging host Inside
mtu outside 1500
mtu Inside 1500
mtu Dev 1500
mtu QA 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Pool mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (outside,DMZ) source static any any destination static out-console dmz-console service SSH SSH 
nat (Inside,outside) source static _bo3 _bo3 destination static _dc2 _dc2 description Site to Site VPN 
nat (Inside,outside) source static bo3_admin bo3_admin destination static bo3_vpn bo3_vpn description Access to Mgmt network over VPN
nat (Inside,outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 description Site to Site VPN
nat (Inside,outside) source dynamic any out-console description Internet access NAT all outbound traffic to an external IP
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
access-group Dev_access_in in interface Dev per-user-override
access-group QA_access_in in interface QA per-user-override
route outside 1
route outside 5
route outside 5
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00

aaa authentication ssh console LOCAL 
aaa authentication match Dev_authentication Dev MS-RADIU
aaa authentication match QA_authentication QA MS-RADIU
aaa authentication listener http Dev port www 
aaa authentication listener http QA port www 
http server enable
http Inside
http Inside
http Inside
http Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set -aes esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set -sha esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 
crypto map outside_map 1 set transform-set -aes
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 
crypto map outside_map 2 set transform-set -aes
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign dhcp
telnet timeout 5
ssh Inside
ssh Inside
ssh Inside
ssh Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcprelay server Inside
dhcprelay enable Dev
dhcprelay enable QA
dhcprelay setroute Dev
dhcprelay setroute QA
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source Inside prefer
ntp server source Inside
tftp-server Inside /configs

Open in new window

Question by:SpanIT

Accepted Solution

Cheever000 earned 2000 total points
ID: 35469374
I see you left out you access-lists, but for starters, when you have a site to site and add subnets both sides need to be adjusted to include the additional networks as interesting traffic,


if you had say and added you need to let your asa know that traffic from the 2.0 network should traverse the tunnel as well as the other side being adjusted to do the same.

Than you will have to adjust you no nat statement for the VPN traffic to make sure that nat isn't being attempted on the traffic destined for the other sites.

These changes must be made for every subnet/network you add.  


Author Comment

ID: 35475704
Thanks, yes, I need a NAT exemption for traffic that is bound for the outside interface where the site to sites are terminated. I have NAT exemption rules now, but only matching on the inside interface.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question