01-10-2021 11:04 PM
i have configured cisco asa 5520, i am here to ask about one possibility according to my needs.
i have two internet connections. both are configured in cisco asa as internet. for example.
1st link = 1.2.3.4
2nd link = 5.6.7.8
is it possible i can configure these both and from 1st link i can give access of internet to all the users, and from 2nd link i can give connectivity to the site-to-site vpn configured on my cisco asa.
i have tried it but it didnt work. i have configured both links on cisco asa, and then i have created static route for both links, and then i have created a NAT rule for internet access in which i have used interface 1st link in translated address to give users access of internet.and no other rule is created.
i want both things work at the same time, please tell me if its possible
01-11-2021 12:07 AM
Technically durable, make sure your NAT rule and ACL should point to the right Interface. Can you post the configuration?
01-11-2021 12:16 AM - edited 01-11-2021 12:23 AM
@balaji.bandido i need to create NAT rule for both connections ? one will give access to the users with the source address of LAN, and other will be use for only specific LAN IP which is accessible by the other side of VPN in source address.. there is no ACL is configured in the firewall i am using the internet services without acl ...
the setup i am talking about, i configured it properly, but it didnt work, then i shifted it to the single IP. but once i will get the confirmation and will be sure about its working then i will configure it again, but first i need to know if it can work or not.
will i get any issue if i create two static default routes for both connections ?
01-11-2021 03:05 AM
You need NAT Rule for your Outgoing Traffic
for VPN you need ACL to allow internal resources - if you like to use full cone VPN, then you need NAT rule on the out going ISP side.
example :
LAN ------DATA -----(NAT) ISP1
VPN users ----ISP2 ---ACL ---LAN
01-11-2021 03:25 AM
i understand the NAT rule, i mean i will create a NAT rule, in which i will name it anything and type will be network, and then i will mentioned my network ID in IP Address, and NAT will be dynamic and translated Addr will be ISP1.
but i dont understand how can i create the ACL you mentioned, can you please explain it to me. and it means i dont need to create the NAT rule for the VPN user ?
01-11-2021 03:57 AM
For VPN this user dial in to ASA on public IP or FQDN using ISP2 - you will have different Pool of IP address
user get IP address from VPN pool 192.168.10. 2-254 (any IP based on DHCP Pool)
take example :
VPN IP 192.168.10.X
LAN IP address 192.168.20.X
So VPN users required to access LAN IP address resources 192.168.20.X
you need Access rule which allow
Source 192.168.10.X Destination: 192.168.20.X service any ( or specific Services)
if the same VPN users need to go out using ISP1 for Internet - you need NAT for that IP range 192.168.10.X
for VPN users you can also setup split VPN - if you like that means, you can only get VPN if the user like to access 192.168.20.X resource, if not they use DSL outgoing for test of the traffic, this is depends on the design and busienss requirement.
make sure you have default route point to ISP 1
is this make sense ?
01-11-2021 10:04 PM
@balaji.bandi thanks for your concern, but i didnt get the concept of ACL rule for VPN user, and why do i need to make that, let me explain you how my network is then i might able to understand how its gona work.
ISP 1 = 1.2.3.4
ISP 2 = 4.5.6.7
Internal = 192.168.2.0/24
VPN Peer IP = 10.2.3.4
Remote Network IP's = 10 (i want to give access of only 1 IP from my Internal which is 192.168.2.38)
All i want is, i want to give internet access to the users from ISP 1, and i want to use ISP 2 for the VPN, and in VPN there is only one machine which needs to be added in VPN client, i mean which needs to be access by the VPN remote IP's (192.168.2.38)
now i wil create a NAT Rule for ISP 1, i will name it anything and type will be network, and then i will mentioned my network ID in IP Address which is 192.168.2.0, and NAT will be dynamic and translated Addr will be ISP 1.
now what will be the ACL rule, i mean what it will do ? and do i need to create another NAT Rule for the VPN users mentioning the ISP 2 or not. please help me....
01-12-2021 03:05 AM
there is confustion here - the informtion we have intial post vs now is different.
To make clear , can you please take 1 small piece of paper and write diagram and show what exacly you looking, so we can suggest better rather directing you different (this will go round and round, - which i dont like - and save each other time)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide