Cisco ASA 5505 site to site with shared internet access - NAT

Posted on 2013-09-03
Medium Priority
Last Modified: 2013-09-09
I have 2 locations with ASA 5505's (8.4 code), and a tunnel between the 2 sites.  All is working fine for remote site (Site B) to access resources in Site A.

I now need Site B to access the INTERNET using Site A's Internet connection - that is, from Site B to www.google.com, traffic goes:

Site B PC --> Site B ASA --->   TUNNEL --->  Site A ASA oustide  then hairpin back out to Internet (and find its way back to Site B, of course).

I know I need to double NAT everything at Site B into the tunnel - not a problem.  Essentially *ALL* traffic leaving Site B goes into the tunnel.

The problem is at Site A - the traffic from Site B for internal resources goes to "inside", and web requests turn around and go out "outside".

Question by:snowdog_2112
  • 2
  • 2
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 39461137
This is likely simpler than you'd think. the nat statement is just like what you have for site A, except that the interfaces are different. You also need to enable same security traffic. Depending on how your other nat statements are setup you may need to make changes to them.

For example
object network SITEASUBNET
nat (inside,outside) dynamic interface

object network SITEBSUBNET
nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Assisted Solution

snowdog_2112 earned 0 total points
ID: 39462500
That makes sense, but do I need to change the ACL's on the crypto map on each side?
The remote (SITE B) should direct *all* traffic into the tunnel, but the main (SITE A) ASA needs to only send traffic which came from SITE B to the Internet back to SITE B


SITE B (remote)

crypto map vpn_map 10 match address vpn_map_acl

access-list vpn_map_acl permit ip any


crypto map vpn_map 10 match address vpn_site_b_acl

access-list vpn_site_b_acl permit ip any
LVL 20

Expert Comment

ID: 39462505
Yes, the acl change will be needed. Good call.

Author Closing Comment

ID: 39475749
Excellent - that seems to be working.

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question