# Question regarding rules



## mrw5641 (Aug 14, 2015)

Hi there. I am trying to have a better understanding of networking.

My interface to the internet is called LPOUT. When I am VPN into my network that is called GUESTS network. 

When creating a rule for the GUEST network to have internet connection is that a NAT rule?

Is that NAT rule defined on the LPOUT interface?


----------



## MitchConner (May 8, 2015)

Hi mate.

You'll need to u-turn that traffic on your outside (lpout) interface:

object network VPN-CLIENTS
subnet x.x.x.x x.x.x.x
nat (LPOUT,LPOUT) dynamic interface


----------



## mrw5641 (Aug 14, 2015)

Hi Mitch. 

Thanks for responding. Can you please send me the commands?


----------



## MitchConner (May 8, 2015)

Those are the commands for NAT.

conf t
object network VPN-CLIENTS <--You may already have an object group configured, in which case, skip the subnet config below and add the NAT statement to your existing object.
subnet x.x.x.x x.x.x.x <-- The subnet for your VPN DHCP clients
nat (LPOUT,LPOUT) dynamic interface

You'll also need to tell your ASA to tunnel all client traffic over the VPN, by modifying your group policy:

conf t
group-policy <your policy name> internal
group-policy <your policy name> attributes
split-tunnel-policy tunnelall

Also, allow the internet traffic to ingress/egress the same interface (you may already have this):

conf t
same-security-traffic permit intra-interface


----------

