VPN connection ( HQ share internet to Branch office)

rechard_hk · ‎12-15-2009

Dear All Expert,

Right now i have some issue for internet connection from Branch to HQ. let me tell you that:

i was configure VPN connection(by Lease Line connecion) from HQ to branch office and the branch office get internet connecion

from HQ( i mean that HQ to share internet to branch). but it does not work!!!!

Note: The branch office can ping to Lan HQ and ASA by VPN connection but the branch office cannot use internet!!!

Could you let me know how can i do on this issue or do you have any command on this?

Please see in the attach file!!!

Best Regards,

Rechard

Giuseppe Larosa · ‎12-16-2009

Hello Rechard,

you need to verify where NAT network address translation is performed, it is likely done on the ASA1 ( the one with the internet link).

ASA2 is the one that performs the VPN connection

The device that performs NAT needs:

to know how to reach the IP subnets of branch office to be able to send return traffic.

This by any means, a static route or by taking part into a dynamic routing protocol.

ASA1 needs to know that it has send traffic for IP subnets of branch office to ASA2

to be configured to translate IP addresses of IP subnets of branch office as it is already doing for HQ IP subnet(s).

This requires to extend an ACL on ASA1 the one already used to translate HQ addresses

Hope to help

Giuseppe

rechard_hk · ‎12-16-2009

Dear Giuseppe,

Thanks you for your help me!!!

now i'm not clear abou this!!!

could you help me to verify configuretion as in the attach file.

Best Regards,

Rechard

Giuseppe Larosa · ‎12-18-2009

Hello Rechard,

the ASA HQ that handles the internet connection needs to know how to reach net 40.40.40.0/24 and has to be configured to NAT it.

ASA_HQ:

add

route inside 40.40.40.0 255.255.255.0 192.168.1.2

and NAT configuration

global (outside) 1 interface

nat (inside) 0 0.0.0.0 0.0.0.0

should be fine

as you can see in this example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml#configse1

currently ASA HQ has no route for branch site net 40.40.40.0/24

Hope to help

Giuseppe

rechard_hk · ‎12-21-2009

Dear Giuseppe,

Thanks you for your support!!!

i was add route side that you told me but it still the problem.

Do you have any command on this?

Best Regards,

Norung

rechard_hk · ‎12-21-2009

Dear Giuseppe,

Thanks you for your help!!!

I was add route inside on ASA HQ already but it still the problem( i mean the branch cannot access internet)

How about the branch configuretion, we need to add something or not?

Best Regards,

rechard

Giuseppe Larosa · ‎12-22-2009

Hello Norung or Rechard,

you may be right that there is something else to change in branch office.

you have currently setup an IPSec tunnel but it is used only for traffic between sites

ip access-list extended LinktoHQ
permit ip 40.40.40.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 40.40.40.0 0.0.0.255 10.10.10.0 0.0.0.255

and you have on your branch router a default route pointing to ASA2 ip address

ip route 0.0.0.0 0.0.0.0 30.30.30.1

and on ASA2, the one that connects to remote branch:

access-list branchoffice extended permit ip 20.20.20.0 255.255.255.0 40.40.40.0 255.255.255.0
access-list branchoffice extended permit ip 10.10.10.0 255.255.255.0 40.40.40.0 255.255.255.0

IP traffic coming from the branch with an internet destination is sent in clear on the link between ASA2 and branch router.

But this is not a problem for routing.

Probably the problem is still in ASA1 the one connected to the internet.

Try to access the internet from an ip address in 40.40.40.x.

on ASA 1 the one connected to the internet use:

sh xlate | inc 40.40.40.x

this is to check that NAT is working on ASA1 for ip addresses of branch office

if you don't see any entry, you need to verify IP connectivity from net 40.40.40/24 to ASA1 inside.

on ASA1 tries ping 40.40.40.x

Hope to help

Giuseppe