06-16-2012 01:25 AM
hello,
i have asa configured as a vpn firewall, where nat 0 is configured and crypto map applied on the outside interface.
can i allow to pass hrough the same firewall (inside interface, and outside interface where isakmp is enabled and crypto map is applied) a normal browsing traffic to surf the internet?
shall i add deny lines in the nat 0 accesslist or just not to add the source ip of the traffic that will use the vpn firewall for just surfing the internet ?
B R,
Solved! Go to Solution.
06-16-2012 10:57 AM
Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
...for an 8.2 or earlier ASA example.
06-16-2012 10:57 AM
Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:
global (inside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
...for an 8.2 or earlier ASA example.
06-17-2012 11:54 PM
ok thanks,
just any command tricks to take care of when having the above scenario?
(tips)
i have an example here,
Server A is connected to ASA DMZ, server A has the right to pass through the outside interface of the ASA to use internet (normal browsing traffic).
which means a nat (outside) (whatever static or global) is available for this server on the ASA.
now can i configure this server in nat 0 if this server will be configured to pass traffic through a VPN Tunnel with keeping the previous access for internet browsing?
BR,
06-18-2012 06:53 AM
Correct, one can and should use a NAT exemption (nat 0) in addition to the global NAT when needing to communicate both over the public IP for Internet and over the private (real) IP address for a LAN-LAN VPN tunnel.
It's easiest and less error-prone to configure this in ASDM. If you want to reinforce your knowledge of the CLI, just set ASDM option to preview commands before applying.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide