Hello experts,

I am not an expert in security and network so please help me with my below query.

I have a ASA 5520 V 7.0(4), the Inernet link is terminated on a router --> switch---> ASA G0/2. The ASA 5520 is connected to the L3 i.e. G0/1--->L3.

Normally user access the internet using the Proxy server. However I have created natted an access-list for direct internet access for client who frequently visit in our office. Below is the config.

The nat (inside) 1 access-list internet-inside works perfectly fine if Nat (inside) 1 192.168.88.0 25.255.255.0 is applied, but the problem is If i remove the nat entry Nat (inside) 1 192.168.88.0 25.255.255.0 the users cannot access the internet through the access-list internet-inside.

Is the nat compulsary ? what can I do to make the nat (inside) 1 access-list internet-inside make work with out Nat (inside) 1 192.168.88.0 25.255.255.0

I want to remove the nat so that I can restrict the users of 192.168.88.0 subnet from accessing direct internet and restrict them through the internet-inside accesslist.

interface GigabitEthernet0/2
duplex full
nameif internet
security-level 0
ip address X.X.X.242 255.255.255.240
!
interface GigabitEthernet0/3
nameif inside
security-level 0
ip address 192.168.88.2 255.255.255.0
!

dns domain-lookup internet
dns name-server X.X.96.2
dns name-server X.X.103.100
same-security-traffic permit inter-interface
object-group network inside-subnets
network-object 192.168.94.0 255.255.255.0
network-object 192.168.92.0 255.255.255.0
network-object 192.168.93.0 255.255.255.0
network-object 192.168.95.0 255.255.255.0
network-object 192.168.90.0 255.255.255.0
object-group service allow tcp-udp
port-object eq www
port-object eq 443
port-object eq 21
port-object eq 1352
port-object eq 445
port-object eq 1720
port-object range 3230 3270
port-object eq 444
port-object eq 17515
port-object eq 6057
port-object eq 2598
object-group service allow-udp udp
port-object eq 10000
port-object eq isakmp
port-object eq 2598
object-group network allowed-ip-addresses
network-object 192.168.91.31 255.255.255.255
access-list internet_cryptomap_40 extended permit ip host 192.168.88.253 host 10.64.4.94
access-list internet_cryptomap_dyn_20 extended permit ip 192.168.88.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list internet-inside extended permit tcp object-group inside-subnets any object-group allow
access-list internet-inside extended permit udp object-group inside-subnets any object-group allow-udp
access-list internet-inside extended permit tcp object-group allowed-ip-addresses any object-group allow
access-list internet-inside extended permit udp object-group allowed-ip-addresses any object-group allow-udp
access-list Client5_nat0_outbound extended permit ip 192.168.94.0 255.255.255.0 host 10.64.4.94
access-list no-nat extended permit ip 192.168.89.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list no-nat extended permit ip 192.168.88.0 255.255.255.0 172.16.16.0 255.255.255.0
access-list no-nat extended permit ip host 192.168.88.253 host 10.64.4.94
access-list no-nat extended permit ip 10.66.254.0 255.255.255.240 10.0.0.0 255.0.0.0
access-list no-nat extended permit ip 192.168.88.0 255.255.255.0 host 10.124.31.13
access-list internet-out extended permit tcp any host X.X.X.243 eq smtp
access-list internet-out extended permit tcp any host X.X.X.244 eq ftp
access-list internet-out extended permit ip any host X.X.X.245
access-list internet_cryptomap_60 extended permit ip 10.66.254.0 255.255.255.240 host 10.124.31.13
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging device-id string asa5520
logging host inside 192.168.88.3 17/1514
mtu internet 1500
mtu inside 1500
mtu management 1500
mtu IPS 1500
ip local pool vpnpool 10.10.8.1-10.10.8.254
ip local pool VPN_POOL 10.10.10.1-10.10.10.254
ip local pool rsapool 172.16.16.1-172.16.16.254 mask 255.255.255.0
no failover
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm504.bin
asdm location X.X.X.X 255.255.255.255 internet
asdm location X.X.X.X  255.255.255.255 internet
asdm location X.X.X.X  255.255.255.255 internet
asdm location X.X.X.X 255.255.255.0 inside
asdm location X.X.X.X 255.255.255.255 internet
asdm location X.X.X.X 255.255.255.255 inside
asdm location X.X.X.X  255.255.255.0 internet
asdm location X.X.X.X  255.255.255.255 internet
asdm location X.X.X.X  255.255.255.255 internet
asdm location 192.168.88.33 255.255.255.255 inside
asdm location X.X.X.X  255.255.255.255 internet
asdm location 192.168.88.12 255.255.255.255 inside
asdm location X.X.X.X 255.255.255.240 inside
asdm location 192.168.90.240 255.255.255.240 inside
asdm group inside-subnets inside
no asdm history enable
arp timeout 14400
nat-control
global (internet) 1 interface
nat (inside) 1 access-list internet-inside
nat (inside) 1 192.168.88.0 255.255.255.0
static (inside,internet) X.X.X.243 192.168.89.5 netmask 255.255.255.255
static (inside,internet) X.X.X.244 192.168.88.6 netmask 255.255.255.255
static (inside,internet) 10.66.254.0 192.168.90.240 netmask 255.255.255.240
access-group internet-out in interface internet
route internet 0.0.0.0 0.0.0.0 X.X.X.241 1
route inside 192.168.91.0 255.255.255.0 192.168.88.1 1
route inside 192.168.94.0 255.255.255.0 192.168.88.1 1
route inside 192.168.90.0 255.255.255.0 192.168.88.1 1
route inside 192.168.89.0 255.255.255.0 192.168.88.1 1
route inside 192.168.87.0 255.255.255.0 192.168.88.1 1
route inside 192.168.95.0 255.255.255.0 192.168.88.1 1
route management 192.168.1.100 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server sdi protocol sdi
aaa-server sdi host 192.168.88.12
aaa-server radius protocol radius
aaa-server radius host 192.168.88.7
key cisco
group-policy RSA_POLICY internal
group-policy RSA_POLICY attributes
banner value Welcome to **** RSA Networks!
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
webvpn
group-policy DfltGrpPolicy attributes
banner value Welcome to *** VPN.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy VPN_POLICY internal
group-policy VPN_POLICY attributes
  vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
pfs disable
ipsec-udp enable
split-tunnel-policy tunnelall
webvpn
username ********password 2dYqgmUa9wXbpdNS encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.88.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
crypto ipsec transform-set ****_SET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map VPN_CRY_MAP 40 match address internet_cryptomap_40
crypto map VPN_CRY_MAP 40 set peer X.X.X.174
crypto map VPN_CRY_MAP 40 set transform-set ****_SET
crypto map VPN_CRY_MAP 60 match address internet_cryptomap_60
crypto map VPN_CRY_MAP 60 set peer X.X.X.234
crypto map VPN_CRY_MAP 60 set transform-set ****_SET
crypto map VPN_CRY_MAP interface internet
isakmp identity auto
isakmp enable internet
isakmp enable inside
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
tunnel-group ipsec1 type ipsec-ra
tunnel-group ipsec1 general-attributes
address-pool rsapool
tunnel-group ipsec1 ipsec-attributes
pre-shared-key password
tunnel-group X.X.X.6 type ipsec-l2l
tunnel-group X.X.X.6 ipsec-attributes
pre-shared-key passw0rd
peer-id-validate nocheck
tunnel-group X.X.X.174 type ipsec-l2l
tunnel-group X.X.X.174 ipsec-attributes
pre-shared-key Passw0rd
tunnel-group X.X.X.234 type ipsec-l2l
tunnel-group X.X.X.234 ipsec-attributes
pre-shared-key 1XXXXX

telnet 192.168.88.0 255.255.255.0 inside
telnet timeout 1440
ssh 192.168.88.0 255.255.255.0 inside
ssh timeout 60
console timeout 10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcprelay server 192.168.88.7 inside
dhcprelay timeout 60
!
class-map class_ftp
match port tcp eq ftp-data
class-map IPSclass
match any
class-map inspection_default
match default-inspection-traffic
class-map class_smtp
!
!
policy-map IPSpolicy
class IPSclass
  ips promiscuous fail-open
class inspection_default
  inspect ftp
  inspect h323 h225
class class_smtp
policy-map global_policy
class class_ftp
  inspect ftp
class inspection_default
class class_smtp
policy-map test
!
service-policy IPSpolicy global
ntp server 192.168.88.7 source inside prefer
Cryptochecksum:df2f0d0aa79aead88d0c5e275555c1dd
: end