Internet via vpn link to the main office

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 01/28/2009 - 06:55
User Badges:
  • Cisco Employee,

in a nutshell, you need to define this on each site:


match address should be defined as pemit ip to any

nonat acl should be same as above.

Central ASA:

Match addres should be the mirror of the remote: permit ip any

nonat acl same as above.

NAT you need to define nat for the remote end leaving through this asa

nat (outside) X

Make sure there is a matching global on the same outside interface.

Routing should be ok as long as your default route for the central points out.

You also need to enable the command "same-security-traffic permit intra-interface"

With this config in place you should be able to accomplish.


This Discussion