Cisco ASA 5505 site to site with shared internet access - NAT

I have 2 locations with ASA 5505's (8.4 code), and a tunnel between the 2 sites.  All is working fine for remote site (Site B) to access resources in Site A.

I now need Site B to access the INTERNET using Site A's Internet connection - that is, from Site B to, traffic goes:

Site B PC --> Site B ASA --->   TUNNEL --->  Site A ASA oustide  then hairpin back out to Internet (and find its way back to Site B, of course).

I know I need to double NAT everything at Site B into the tunnel - not a problem.  Essentially *ALL* traffic leaving Site B goes into the tunnel.

The problem is at Site A - the traffic from Site B for internal resources goes to "inside", and web requests turn around and go out "outside".

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is likely simpler than you'd think. the nat statement is just like what you have for site A, except that the interfaces are different. You also need to enable same security traffic. Depending on how your other nat statements are setup you may need to make changes to them.

For example
object network SITEASUBNET
nat (inside,outside) dynamic interface

object network SITEBSUBNET
nat (outside,outside) dynamic interface

same-security-traffic permit intra-interface

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snowdog_2112Author Commented:
That makes sense, but do I need to change the ACL's on the crypto map on each side?
The remote (SITE B) should direct *all* traffic into the tunnel, but the main (SITE A) ASA needs to only send traffic which came from SITE B to the Internet back to SITE B


SITE B (remote)

crypto map vpn_map 10 match address vpn_map_acl

access-list vpn_map_acl permit ip any


crypto map vpn_map 10 match address vpn_site_b_acl

access-list vpn_site_b_acl permit ip any
Yes, the acl change will be needed. Good call.
snowdog_2112Author Commented:
Excellent - that seems to be working.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.