11-05-2007 03:10 PM - edited 03-09-2019 07:14 PM
I currently have an asa5520 configured to allow clients w/ a remote access vpn client to connect. once connected, they can surf the internet and the web pages are filtered through our internal filter. This is the desired effect.
My problem is that I need to build a Lan2lan vpn connection with an asa5505. The vpn connection is made and I have full network access - files / email / etc. The problem is when I surf the web on the PC that is connected to the 5505 goes straight out to the internet and not through the tunnel to our web filtering device. I'm assuming the problem is on the 5505 device. Please point me in the direction on how to force all traffic (once the VPN connection is established) on the 5505 to go through the tunnel to the 5520 device for web filtering.
11-06-2007 06:07 AM
You must define all traffic as interesting on the l2l tunnel. So you crypto acl on the headend 5520 would be like this (if 192.168.1.0/24 is remote network inside 5505)....
access-list crytpo extended permit ip any 192.168.1.0 255.255.255.0
and the 5505 would be...
access-list crypto extended permit ip 192.168.1.0 255.255.255.0 any
This will force all traffic from inside the 5505 over the tunnel.
11-06-2007 08:32 AM
Thanks. It was a Duh moment. I had those statements in the ASA's except that the 2nd statement had my internal network rather than "ANY" for the 5505. Didn't even dawn on me. Thanks again.
10-07-2008 11:59 PM
Hi,
Would the 'NONAT' statement need to be altered to match this as well?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: