Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
3
Replies

ASA outside interface

Go to solution
learnsec
Level 1
Level 1

‎06-16-2012 01:25 AM

hello,

i have asa configured as a vpn firewall, where nat 0 is configured and crypto map applied on the outside interface.

can i allow to pass hrough the same firewall (inside interface, and outside interface where isakmp is enabled and crypto map is applied) a normal browsing traffic to surf the internet?

shall i add deny lines in the nat 0 accesslist or just not to add the source ip of the traffic that will use the vpn firewall for just surfing the internet ?

B R,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-16-2012 10:57 AM

Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

...for an 8.2 or earlier ASA example.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-16-2012 10:57 AM

Sure - what you describe is a common way to use the ASA. Your nat 0 list tells the ASA what NOT to NAT since it is going over a VPN tunnel and retaining its original address. Other traffic should be covered by a global NAT (and translated to something like the outside interface address). Something like this:

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

...for an 8.2 or earlier ASA example.

0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to Marvin Rhoads

‎06-17-2012 11:54 PM

ok thanks,

just any command tricks to take care of when having the above scenario?

(tips)

i have an example here,

Server A is connected to ASA DMZ, server A has the right to pass through the outside interface of the ASA to use internet (normal browsing traffic).

which means a nat (outside) (whatever static or global) is available for this server on the ASA.

now can i configure this server in nat 0 if this server will be configured to pass traffic through a VPN Tunnel with keeping the previous access for internet browsing?

BR,

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to learnsec

‎06-18-2012 06:53 AM

Correct, one can and should use a NAT exemption (nat 0) in addition to the global NAT when needing to communicate both over the public IP for Internet and over the private (real) IP address for a LAN-LAN VPN tunnel.

It's easiest and less error-prone to configure this in ASDM. If you want to reinforce your knowledge of the CLI, just set ASDM option to preview commands before applying.

0 Helpful
Customers Also Viewed These Support Documents