cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
980
Views
0
Helpful
3
Replies

ASA outside interface

learnsec
Level 1
Level 1

hello,

i have asa configured as a vpn firewall, where nat 0 is configured and crypto map applied on the outside interface.

can i allow to pass hrough the same firewall (inside interface, and outside interface where isakmp is enabled and crypto map is applied) a normal browsing traffic to surf the internet?

shall i add deny lines in the nat 0 accesslist or just not to add the source ip of the traffic that will use the vpn firewall for just surfing the internet ?

B R,

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

...for an 8.2 or earlier ASA example.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

...for an 8.2 or earlier ASA example.

ok thanks,

just any command tricks to take care of when having the above scenario?

(tips)

i have an example here,

Server A is connected to ASA DMZ, server A has the right to pass through the outside interface of the ASA to use internet (normal browsing traffic).

which means a nat (outside) (whatever static or global) is available for this server on the ASA.

now can i configure this server in nat 0 if this server will be configured to pass traffic through a VPN Tunnel with keeping the previous access for internet browsing?

BR,

Correct, one can and should use a NAT exemption (nat 0) in addition to the global NAT when needing to communicate both over the public IP for Internet and over the private (real) IP address for a LAN-LAN VPN tunnel.

It's easiest and less error-prone to configure this in ASDM. If you want to reinforce your knowledge of the CLI, just set ASDM option to preview commands before applying.