09-13-2019 01:25 PM - edited 02-21-2020 09:44 PM
I have an ASA 5525-x with a Site-to-Site VPN to AT&T. We have remote hotspot users coming through the VPN tunnel to this ASA to our location. Since they are assigned RFC1918 addresses, they get routed through our internal network in order to get outside through our firewall (which provides NATting). This may seem like an odd configuration, but these users used to get forced through a context filtering device which used to be on our network. It no longer is, but there is great resistance in the organization to changing this setup.
We also have an ASA 5520 which is serving as our remote access VPN for our non-hotspot users. Since that device is past end-of-life, I am trying to move it's configuration to another device. The only other logical place, without buying additional hardware, is the ASA 5525-x. I've got the 5520 config merged into the 5525-x config, but there are many issues.
Does anyone have an example config similar to this situation? I was starting to research multiple security contexts, but it looks like that doesn't allow for remote-access VPN. I'm just not sure how to handle the default gateway. For hotspot users, I need it pointing internally, so the traffic goes outside through the NAT. For remote-access VPN users, I need it pointing directly to the gateway router, not going through NAT.
09-13-2019 10:02 PM
As long as you have an (outside,outside) NAT rule the remote access VPN users will get Internet access just fine.
09-14-2019 04:04 AM
nat (outside,outside) dynamic interface
better put this rule in section 2
object network XXXXX
nat (outside,outside) dynamic interface
or you can put this rule in section 3 also.
09-16-2019 05:07 AM
Thanks for the replies... trying to figure out how to implement this in our environment.
The remote access VPN users will only need the connection in order to access internal resources only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide