VPN non-standard configuration

Answered Question

Hello everybody,
I have to setup a non-standard configuration with Cisco ASA 5510:
First of all I have to realize a Lan-to-Lan VPN, and no problem on this:

LAN Inside --> CIsco ASA - Router ISP1 --> VPN L2L (10.10.10.x)

But at the same time the client want also that all Internet traffic goes to another ISP router, and this 2nd router is on the LAN Inside:

LAN Inside --> Cisco ASA --> Router ISP2 (192.168.0.253) --> Internet traffic.

How can I setup this config ?
I tried with the following static routes:

route inside 0.0.0.0 0.0.0.0 192.168.0.253
route outside 10.10.10.0 255.255.255.0 217.269.x.y

but it's does not works, due to NAT malfunction.

Any other ideas ?

Thank you in advance

I have this problem too.
0 votes
Correct Answer by Diego Armando C... about 6 years 4 months ago

For me it is easier to change the default gateway ONE THE COMPUTERS to the hop Inside your LAN. (The ISP Router or whatever you have in the inside.) In that device (ISP Router or whatever u have)set the default gateway to the internet. And tell to this device that anything goint to the Remote LAN (the VPN Peer) must be sent to the ASA so the ASA will be able to provide comunication with the remote LAN Through the VPN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Armando C... Mon, 07/05/2010 - 14:36

Static (inside,inside) Network192.168.0.    Network192.168.0.

ASA(config) )same-security-traffic permit intra-interface

We have to do an identity NAT. We are going to NAT our network in the inside to the same Ip range when going to the inside as well.

Maybe this U-turn will help

Let me know.

Diego Armando C... Fri, 07/16/2010 - 08:15

OK.

For me it is easier to change the default gateway to the hop Inside your LAN. (The ISP Router or whatever you have in the inside.) In that device set the default gateway to the internet. And tell to this device that anything goint to the Remote LAN (the VPN Peer) must be sent to the ASA so the ASA will be able to provide comunication with the remote LAN.

I hope it helps

Attachment: 
Correct Answer
Diego Armando C... Fri, 07/16/2010 - 08:17

For me it is easier to change the default gateway ONE THE COMPUTERS to the hop Inside your LAN. (The ISP Router or whatever you have in the inside.) In that device (ISP Router or whatever u have)set the default gateway to the internet. And tell to this device that anything goint to the Remote LAN (the VPN Peer) must be sent to the ASA so the ASA will be able to provide comunication with the remote LAN Through the VPN

kushtrim-berisha Mon, 07/19/2010 - 02:39

hi there,

if you dont have problem to comunicate with VPN-s thought ISP1 and after you have configure the route you just should configure these steps

global (outside) 1 1217.269.x.y or interface

nat (inside) 1 0.0.0.0 0.0.0.0 (or you can specify IPs whitch can go out throught this port)

hope is heplfull.

Regards.

Actions

This Discussion