Showing results for 
Search instead for 
Did you mean: 

Allow traffic from remote offices (ISP provided site-to-site VPN)


We have a customer moving to a new internet service.  The ISP will be managing the site-to-site vpn tunnels between the different locations.  At the main office, we are installing an ASA 5506-X to act as the gateway/router.  I have posted the configuration I have so far below.  The network objects correspond to the IP schemes at the remote offices.  We need the device to allow traffic from each remote office without being NATed.  (i.e. traffic from SLC, 192.168.208.x -> LocalSubnet 192.168.203.x) and I am unclear how to do this.



ip local pool vpnpool mask

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address <Public IP>
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address
interface GigabitEthernet1/3
no nameif
security-level 100
no ip address
interface GigabitEthernet1/4
no nameif
security-level 100
no ip address
interface GigabitEthernet1/5
no nameif
security-level 100
no ip address
interface GigabitEthernet1/6
no nameif
security-level 100
no ip address
interface GigabitEthernet1/7
no nameif
security-level 100
no ip address
interface GigabitEthernet1/8
no nameif
security-level 100
no ip address
interface Management1/1
no nameif
no security-level
no ip address
boot system disk0:/asa992-32-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
object network LocalSubnet
object network SLC
object network COS
object network GRJ
object network FRD
object network PKR
object network FTC
object network Linux_Server
object network VPN

route outside <Public Gateway> 1
access-list vpn-split standard permit
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LocalSubnet LocalSubnet destination static VPN VPN no-proxy-arp route-lookup
object network obj_any
nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd lease 845600 interface inside
dhcpd domain <domainname> interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
enable outside
anyconnect image disk0:/anyconnect-win-4.6.03049-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.6.03049-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
error-recovery disable
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
dynamic-access-policy-record DfltAccessPolicy
username ***** password ***** privilege 15
tunnel-group RemoteVPN type remote-access
tunnel-group RemoteVPN general-attributes
address-pool vpnpool
default-group-policy RemoteVPN
tunnel-group RemoteVPN webvpn-attributes
group-alias RemoteVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

1 Reply 1

Rob Ingram
VIP Expert VIP Expert
VIP Expert
The example below will not nat traffic from your local network 192.168.203.x to the remote network FRD 192.168.208.x. This is similar to the nat configuration you already have in place for the destination network VPN.

nat (inside,outside) source static LocalSubnet LocalSubnet destination static FRD FRD no-proxy-arp route-lookup

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: