Internet via vpn link to the main office

Unanswered Question


I have a central ASA5510 + ASA5505's at two remote offices. I want the remote offices to have all traffic directed over the vpn link to the central ASA, which then handles internet and lan traffic. I have a little trouble figuring out how this should be configured and routed.

Any help appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 01/28/2009 - 06:55

in a nutshell, you need to define this on each site:


match address should be defined as pemit ip to any

nonat acl should be same as above.

Central ASA:

Match addres should be the mirror of the remote: permit ip any

nonat acl same as above.

NAT you need to define nat for the remote end leaving through this asa

nat (outside) X

Make sure there is a matching global on the same outside interface.

Routing should be ok as long as your default route for the central points out.

You also need to enable the command "same-security-traffic permit intra-interface"

With this config in place you should be able to accomplish.


This Discussion