Dear Jennifer,

This is my configuration !!!

Please see in the attach file!!!

Note: all gateway on client i set ISA's IP address.

Best regards,

Rechard

Base on the configuration, I believe that you have site-to-site VPN between HQ and Branch.

Where is your internet connection supposed to be through branch? How is HQ and Branch connected? via Internet, or via MPLS? or via internal WAN?

From the config, Branch default gateway is 10.189.133.10 (private ip address), so to browse the internet, another device must be doing NAT/PAT to public ip address. Who will be performing this if you don't point the PC to use ISA as the proxy?

You would need to find out how the branch is connected to the Internet.

Dear Jennifer and Shijomon ,

Thanks you for your assist!!!

I would like to answer Jennifer's the question as below:

1- Where is your internet connection supposed to be through branch?

A- My internet has other link that connect  to ISA and ISA connect to Lan swith.

2-  How is HQ and Branch connected?via Internet, or via MPLS? or via internal WAN?

A- From HQ to Branch connected by Bridge connect ( without internet connection ) the ISP gave me the private ip address !!! and bring connection they use ADSL ( so after i configured VPN already my branch can access to HQ by Wan private IP address ).

3-Who will be performing this if you don't point the PC to use ISA as the proxy?

A- I point to ISA but i don't want to use proxy. i just to route on ISA!!!

Note: from Client HQ use : IP's ISA is getway client. and if client HQ want to connect to branch they need to pass thought ISA and ISA connect to ASA HQ and go to branch!!!

any way i would like to answer Shijomon's the question as below:

you give me to remove ACL outside, so why we need to remove ACL outside?

Thanks you again for you help me!!!

Best Regards,

Rechard

Dear All,

Do you have any update?

Best Regads,

Rechard

OK, I think I understand your topology a little bit better now.

Can you please confirm the following to double confirm my understanding:

1) VPN tunnel between the HQ and Branch is purely so Branch office can access HQ LAN.

2) Internet connection is via ISA server and ISA is connected to HQ LAN.

3) HQ ASA is only used to terminate VPN tunnel, not default gateway for Internet traffic

If the above 3 points are my correct understanding, here is what needs to be changed and all Internet traffic will also be encrypted towards HQ from Branch office:

On Branch ASA:

1) Branch-VPN ACL needs to change to the following:

access-list Branch-VPN extended permit ip 192.168.102.0 255.255.255.0 any

2) NAT exemption ACL needs to change to the following:

access-list 102 extended permit ip 192.168.102.0 255.255.255.0 any

On HQ ASA:

1) branch2 ACL needs to change to the following:

access-list branch2 extended permit ip any 192.168.102.0 255.255.255.0

2) NAT exemption ACL needs to include the following:

access-list 170 extended permit ip any 192.168.102.0 255.255.255.0

3) Tunnel default gateway towards the inside next hop router:

route inside 0.0.0.0 0.0.0.0 192.168.100.x tunneled

On ISA:

1) Would need to configure NAT for the branch office LAN subnet so it can route to the Internet

2) Assuming that ISA already knows to route branch office subnet towards the HQ ASA inside interface.

Hope that makes sense.