L2L setup with internet access

Answered Question

Hi All,

I have set up and L2L vpn between my host site and a small two person office using my asa 5510 and a little netgear vpn router. I wish for the users to have to come to the head office for internet. I can access all the resources and such but the internet is not working from the site. I have made sure I have the same-security-traffic permit intra-interface command on my asa. Maybe I am missing a route? Can someone point me in the right direction?

TIA,

R

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 8 months ago

Yes...

global (outside) 1 x.x.x.1

global (outside) 10 x.x.x.2

global (outside) 20 x.x.x.3

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 10 192.168.10.0 255.255.255.0

nat (outside) 20 192.168.20.0 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.

Thank you for your response. I think I may have an issue with this.

If I apply the command:

split-tunnel-policy tunnelall

How will this affect my normal vpn clients who do infact use split tunneling to access the internet via their local gateway? i already have the following in my config:

split-tunnel-policy tunnelspecified

Will this negatively affect my current setup?

thanks

acomiskey Thu, 03/29/2007 - 12:44

You should be able to create a separate group policy, apply that group policy to the l2l tunnel group and configure tunnelall in that group policy only. Make sense? Most likely your remote access vpn clients are on a different policy than your l2l tunnel anyway.

acomiskey Thu, 03/29/2007 - 12:55

Actually, my mistake, since the document is for remote access vpn, it uses split tunnel policy. But since you have a l2l tunnel, you will not have to worry about split tunnel policy, you will just have to make sure that all the traffic from the remote end goes over the tunnel :-)

Here are the important parts of the config...

same-security-traffic permit intra-interface

global (outside) 1 172.18.124.166

nat (outside) 1 192.168.10.0 255.255.255.0

Correct Answer
acomiskey Thu, 03/29/2007 - 13:00

Yes...

global (outside) 1 x.x.x.1

global (outside) 10 x.x.x.2

global (outside) 20 x.x.x.3

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 10 192.168.10.0 255.255.255.0

nat (outside) 20 192.168.20.0 255.255.255.0

Actions

This Discussion