tunnel traffic to Internet over site-to-site vpn

Answered Question

I have a remote site that connects to our corporate network through a site-to-site vpn connection. I can access all networks from the remote site to the corporate site with no issues. However I cannot access the Internet from the remote site. Our Internet connection is on the same ASA 5520 as the VPN connection. Any help on this issue would be appreciated.

Correct Answer by acomiskey about 9 years 6 months ago

No, no acl is needed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 09/10/2007 - 09:39
User Badges:
  • Green, 3000 points or more

It will work just fine. The local and remote networks will communicate with nat exemption. When the remote network requests something on the internet, they will be tunneled over the vpn and will be pat'd on the outside interface of the local ASA.



acomiskey Mon, 09/10/2007 - 11:17
User Badges:
  • Green, 3000 points or more

Yes, because all traffic will need to be tunneled from the remote network to access the local lan and the internet.


Local ASA - Any to

Remote ASA - to Any

Forgive me for being cautious-Last week I was working on this with a TAC engineer when the engineer brought down our Internet access. I'm not sure what happened but I got into a lot of trouble from management.


OK my last stupid question: When I change the ACL to any the tunnel is dropped and I can't communicate with the remote site. How can I get the VPN to come back up with the new ACL addition?

I added all configurations as suggested but no work for me. How can I troubleshoot. Please HELP!!!


global (Internet) 2 x.x.x.20 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 x.x.x.x 255.255.255.0 <-- remote network ip range


I have all ACL's with the proper network to any or any to network statements and my tunnel is up.

acomiskey Tue, 09/11/2007 - 10:20
User Badges:
  • Green, 3000 points or more

Glad to hear the tunnel is back up.


same-security-traffic permit intra-interface

no nat (Inside) 2 x.x.x.x 255.255.255.0

nat (Internet) 2 x.x.x.x 255.255.255.0

Just to clarify, if this is my current network.

global (Internet) 2 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 10.2.18.0 255.255.255.0 <-- remote network ip range


Then your config change should be?

no nat (Inside) 2 10.2.18.0 255.255.255.0

nat (Internet) 2 ???.???.??? 255.255.255.0


What IP should the question marks be? (public)


How confident that this change will not affect my Internet connection? Or if a public IP goes where the question marks are then can I use another public IP for PAT?

acomiskey Tue, 09/11/2007 - 11:38
User Badges:
  • Green, 3000 points or more

Tim,


Sorry if I have caused confusion. I took your statements above to mean that...


10.2.18.0/24 is the remote network located at the other end of the tunnel? And that this is the network which you want to allow internet access to from your local ASA?


Is this correct?


If so, your existing nat (inside) 2 10.2.18.0 statement is doing nothing. You will need to nat these clients on the outside interface like so...


nat (Internet) 2 10.2.18.0 255.255.255.0


Maybe it would be better if you could post a config from the main ASA and let us know what the remote network is. Clean passwords/public ip's etc.



The whole config would take very many pages. I am including the specific config that is for the remote network as it is now without any new changes you suggested. I hope this will shed some light on my config for the remote site.


global (Internet) 1 xx.xxx.xx.10 netmask 255.255.255.192

global (Internet) 2 xx.xxx.xx.20 netmask 255.255.255.192 <-PAT Interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 2 10.2.16.0 255.255.255.0

nat (Inside) 2 10.2.17.0 255.255.255.0

nat (Inside) 2 10.2.18.0 255.255.255.0 <--remote network


route Internet 10.2.18.0 255.255.255.0 xx.xxx.xxx.41 1 <--this is the route pointing to the public ip of the remote site.


access-list Inside_nat0_outbound extended permit ip any 10.2.18.0 255.255.255.0 <--this ACL is very large so i'm only including the remote network.


<--I'm not including the crypto map or tunnel group info-->

access-list Internet_cryptomap_160 extended permit ip any 10.2.18.0 255.255.255.0



acomiskey Tue, 09/11/2007 - 12:29
User Badges:
  • Green, 3000 points or more

Okay. Take a look at the document I posted above. You will notice the following lines...


global (outside) 1 172.18.124.166

nat (outside) 1 192.168.10.0 255.255.255.0


In that example 192.168.10.0 255.255.255.0 is the remote network.


In your case it would look like this...


global (Internet) 2 xx.xxx.xx.20 255.255.255.192

nat (Internet) 10.2.18.0 255.255.255.0


Also, you should not need the route statement you posted above. But I guess if it's not broke, don't fix it.

I entered the nat (Internet) 10.2.18.0 255.255.255.0 statement and it didn't work to begin with but after a few minutes it started working.


I will confirm again by making sure that all NAT overload configuration is removed from the remote router and have them access the Internet.


Do I need any type of ACL for this?


Thanks a lot for your help.

Correct Answer
acomiskey Tue, 09/11/2007 - 13:48
User Badges:
  • Green, 3000 points or more

No, no acl is needed.

Actions

This Discussion