Internet via VPN tunnel through ASA, breakout via Cisco 877

Unanswered Question
Mar 31st, 2012
User Badges:

I've setup a VPN tunnel between an ASA and Cisco 877, both internal network can communicate.


I want to be able to access the Internet via the remote site of where the 877 is located.


From my understand the 877 needs to be able to do hairpinning, but I am not able to find the same cmd used on the ASA to do hairpinning.


Any thoughts would be apperciated.


Site A: ACL - ASA

LAN: 192.168.3.0


**************************************************************************************

Crypto Map ACL

access-list acl_to_siteb extended permit ip 192.168.3.0 255.255.255.0 any

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 any

**************************************************************************************


Site B: ACL - 877

LAN: 192.168.10.0


**************************************************************************************

Crypto Map ACL

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip any 192.168.3.0 0.0.0.255

**************************************************************************************


access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 permit ip 192.168.12.0 0.0.0.255 any

access-list 110 permit ip 192.168.3.0 0.0.0.255 any

route-map nonat permit 10

match ip address 110


ip nat inside source route-map nonat interface Dialer0 overload

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Peterson Sun, 04/01/2012 - 01:03
User Badges:

I was thinking it was something to do with the NAT as the natting was only taking place from the inside, I therefore addedd a nat cmd:


ip nat pool ip 1.1.1.1 1.1.1.1 netmask 255.255.255.252

ip nat outside source list 5 pool ip


As the traffic is coming from the outside. Now when I do a show ip nat translations I have the below output which shows that the 877 can see the packet from the outside but is not natting it back out.



Router1#show ip nat translations | include 192.168.3.2

--- ---                ---                1.1.1.1        192.168.3.2

Manouchehr Sun, 04/01/2012 - 04:05
User Badges:

If you are setting up site to site VPN, you have two options to use remote site Internet,


1: proxy

2: Easy VPN




HTH

John Peterson Sun, 04/01/2012 - 05:39
User Badges:

Is that two options when using a router, as hairpinning is not support on a router? Because it is much easier when have a site to site with two ASA and having the Internet pass through the tunnel.




Sent from Cisco Technical Support iPhone App

Actions

This Discussion