cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
14
Replies

tunnel traffic to Internet over site-to-site vpn

tim.holden
Level 1
Level 1

I have a remote site that connects to our corporate network through a site-to-site vpn connection. I can access all networks from the remote site to the corporate site with no issues. However I cannot access the Internet from the remote site. Our Internet connection is on the same ASA 5520 as the VPN connection. Any help on this issue would be appreciated.

1 Accepted Solution

Accepted Solutions

No, no acl is needed.

View solution in original post

14 Replies 14

acomiskey
Level 10
Level 10

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

This configuration is for a remote access vpn but it is the same for a L2L tunnel. Just make sure to tunnel all traffic then...

same-security-traffic permit intra-interface

global (outside) 1 x.x.x.x

nat (outside) 1

how would this work if I have a nonat ACL from internal networks to the remote network?

It will work just fine. The local and remote networks will communicate with nat exemption. When the remote network requests something on the internet, they will be tunneled over the vpn and will be pat'd on the outside interface of the local ASA.

Will I have to modify my crypto ACL to allow local network to any and on the ASA any to the remote local network?

Yes, because all traffic will need to be tunneled from the remote network to access the local lan and the internet.

Local ASA - Any to

Remote ASA - to Any

Forgive me for being cautious-Last week I was working on this with a TAC engineer when the engineer brought down our Internet access. I'm not sure what happened but I got into a lot of trouble from management.

OK my last stupid question: When I change the ACL to any the tunnel is dropped and I can't communicate with the remote site. How can I get the VPN to come back up with the new ACL addition?

I added all configurations as suggested but no work for me. How can I troubleshoot. Please HELP!!!

global (Internet) 2 x.x.x.20 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 x.x.x.x 255.255.255.0 <-- remote network ip range

I have all ACL's with the proper network to any or any to network statements and my tunnel is up.

Glad to hear the tunnel is back up.

same-security-traffic permit intra-interface

no nat (Inside) 2 x.x.x.x 255.255.255.0

nat (Internet) 2 x.x.x.x 255.255.255.0

Just to clarify, if this is my current network.

global (Internet) 2 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 10.2.18.0 255.255.255.0 <-- remote network ip range

Then your config change should be?

no nat (Inside) 2 10.2.18.0 255.255.255.0

nat (Internet) 2 ???.???.??? 255.255.255.0

What IP should the question marks be? (public)

How confident that this change will not affect my Internet connection? Or if a public IP goes where the question marks are then can I use another public IP for PAT?

Tim,

Sorry if I have caused confusion. I took your statements above to mean that...

10.2.18.0/24 is the remote network located at the other end of the tunnel? And that this is the network which you want to allow internet access to from your local ASA?

Is this correct?

If so, your existing nat (inside) 2 10.2.18.0 statement is doing nothing. You will need to nat these clients on the outside interface like so...

nat (Internet) 2 10.2.18.0 255.255.255.0

Maybe it would be better if you could post a config from the main ASA and let us know what the remote network is. Clean passwords/public ip's etc.

The whole config would take very many pages. I am including the specific config that is for the remote network as it is now without any new changes you suggested. I hope this will shed some light on my config for the remote site.

global (Internet) 1 xx.xxx.xx.10 netmask 255.255.255.192

global (Internet) 2 xx.xxx.xx.20 netmask 255.255.255.192 <-PAT Interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 2 10.2.16.0 255.255.255.0

nat (Inside) 2 10.2.17.0 255.255.255.0

nat (Inside) 2 10.2.18.0 255.255.255.0 <--remote network

route Internet 10.2.18.0 255.255.255.0 xx.xxx.xxx.41 1 <--this is the route pointing to the public ip of the remote site.

access-list Inside_nat0_outbound extended permit ip any 10.2.18.0 255.255.255.0 <--this ACL is very large so i'm only including the remote network.

<--I'm not including the crypto map or tunnel group info-->

access-list Internet_cryptomap_160 extended permit ip any 10.2.18.0 255.255.255.0

Okay. Take a look at the document I posted above. You will notice the following lines...

global (outside) 1 172.18.124.166

nat (outside) 1 192.168.10.0 255.255.255.0

In that example 192.168.10.0 255.255.255.0 is the remote network.

In your case it would look like this...

global (Internet) 2 xx.xxx.xx.20 255.255.255.192

nat (Internet) 10.2.18.0 255.255.255.0

Also, you should not need the route statement you posted above. But I guess if it's not broke, don't fix it.

I entered the nat (Internet) 10.2.18.0 255.255.255.0 statement and it didn't work to begin with but after a few minutes it started working.

I will confirm again by making sure that all NAT overload configuration is removed from the remote router and have them access the Internet.

Do I need any type of ACL for this?

Thanks a lot for your help.

No, no acl is needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: