Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
3
Replies

Internet via VPN tunnel through ASA, breakout via Cisco 877

John Peterson
Level 1
Level 1

‎03-31-2012 04:20 AM - edited ‎03-04-2019 03:52 PM

I've setup a VPN tunnel between an ASA and Cisco 877, both internal network can communicate.

I want to be able to access the Internet via the remote site of where the 877 is located.

From my understand the 877 needs to be able to do hairpinning, but I am not able to find the same cmd used on the ASA to do hairpinning.

Any thoughts would be apperciated.

Site A: ACL - ASA

LAN: 192.168.3.0

**************************************************************************************

Crypto Map ACL

access-list acl_to_siteb extended permit ip 192.168.3.0 255.255.255.0 any

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 any

**************************************************************************************

Site B: ACL - 877

LAN: 192.168.10.0

**************************************************************************************

Crypto Map ACL

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 100 permit ip any 192.168.3.0 0.0.0.255

**************************************************************************************

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 permit ip 192.168.12.0 0.0.0.255 any

access-list 110 permit ip 192.168.3.0 0.0.0.255 any

route-map nonat permit 10

match ip address 110

ip nat inside source route-map nonat interface Dialer0 overload

Labels:
0 Helpful
3 Replies 3

John Peterson
Level 1
Level 1

‎04-01-2012 01:03 AM

I was thinking it was something to do with the NAT as the natting was only taking place from the inside, I therefore addedd a nat cmd:

ip nat pool ip 1.1.1.1 1.1.1.1 netmask 255.255.255.252

ip nat outside source list 5 pool ip

As the traffic is coming from the outside. Now when I do a show ip nat translations I have the below output which shows that the 877 can see the packet from the outside but is not natting it back out.

Router1#show ip nat translations | include 192.168.3.2

--- ---                ---                1.1.1.1        192.168.3.2

0 Helpful

Manouchehr
Level 1
Level 1

‎04-01-2012 04:05 AM

If you are setting up site to site VPN, you have two options to use remote site Internet,

1: proxy

2: Easy VPN

HTH

0 Helpful

John Peterson
Level 1
Level 1

‎04-01-2012 05:39 AM

Is that two options when using a router, as hairpinning is not support on a router? Because it is much easier when have a site to site with two ASA and having the Internet pass through the tunnel.

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card