Solved: Re: ASA 5505 VPN for Internet Traffic

George Rodriguez · ‎10-17-2017

Can someone assist with this scenario?

I need to have ALL traffic (including Internet) route over a VPN BUT I need to exclude some specific traffic so it gets Natted locally.

I've tried to do this by adding a n DENY on my ACL but can't seem to get it to work.

Thanks.

GioGonza · ‎10-17-2017

Hello @George Rodriguez,

If I´m not mistaken, you want some traffic to be hit the NAT on the ASA and not through the VPN tunnel. You need to remove the deny you added on the encryption domain and play with the NAT statements:

Since your first NAT is from your internal to ANY, you should get a new NAT for the object OS_Subnet first in order to perform the NAT on your ASA and not on the remote, this will avoid the traffic to go to the remot end.

nat (inside,outside) 1 source dynamic LAN_Subnet interface destination static OS_Subnet OS_Subnet

nat (inside,any) 2 source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup

With this configuration, if your internal subnet hits the OS_Subnet object it will be translated to you outside interface, the rest of the traffic will remain unstranslated and will go through the VPN tunnel.

HTH

Gio

View solution in original post

GioGonza · ‎10-17-2017

Hello @George Rodriguez,

What kind of VPN tunnel are you deploying, also can you share your config?

Gio

George Rodriguez · ‎10-17-2017

Its a site to site vpn

here is the relevant config

I assumed adding the DENY on the ACL would prevent the traffic. It seems like it is but I suspect the traffic is not being NAT'd

object network LAN_Subnet
subnet 10.2.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network REMOTE_SUBNETS
network-object 10.0.0.0 255.0.0.0
object-group network OS_Subnet
I left out for security reasons
access-list INTERESTINGTRAF extended deny ip object LAN_Subnet object OS_Subnet
access-list INTERESTINGTRAF extended permit ip object LAN_Subnet object-group obj_any
nat (inside,any) source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup
crypto map DataCenter 20 match address INTERESTINGTRAF
crypto map DataCenter 20 set peer x.x.x.x
crypto map DataCenter 20 set ikev1 transform-set TSET
crypto map DataCenter interface outside

object network obj_any
nat (inside,outside) dynamic interface

GioGonza · ‎10-17-2017

Hello @George Rodriguez,

If I´m not mistaken, you want some traffic to be hit the NAT on the ASA and not through the VPN tunnel. You need to remove the deny you added on the encryption domain and play with the NAT statements:

Since your first NAT is from your internal to ANY, you should get a new NAT for the object OS_Subnet first in order to perform the NAT on your ASA and not on the remote, this will avoid the traffic to go to the remot end.

nat (inside,outside) 1 source dynamic LAN_Subnet interface destination static OS_Subnet OS_Subnet

nat (inside,any) 2 source static LAN_Subnet LAN_Subnet destination static obj_any obj_any no-proxy-arp route-lookup

With this configuration, if your internal subnet hits the OS_Subnet object it will be translated to you outside interface, the rest of the traffic will remain unstranslated and will go through the VPN tunnel.

HTH

Gio

George Rodriguez · ‎10-17-2017

So the 1 & 2 will give the NAT statements a priority? That makes sense. I'll give that a shot.

GioGonza · ‎10-17-2017

Hello @George Rodriguez,

Yes, the number after the interfaces is to place the NAT statements where you want it and not last as default behavior.

Let me know when you do the test.

Gio

George Rodriguez · ‎10-17-2017

I added the NAT statements as suggested and it works!!

Thank!