Site-to-Site IPsec VPN with Internet Access

jason.bourne00789 · ‎09-22-2013

I have 2 sites(Site 1 and Site 2) which are connected via VPN using the ASA's with software version 8.4(2)

Attached are the configuration files for both the asa's.

Now i need to grant access to users behind site 2 to access internet as well as servers in the site 1 via the VPN. For that i do the following changes to asa on site 2

access-list inside extended permit icmp any any

access-list inside extended permit ip any any

access-list outside extended permit icmp any any

access-list outside extended permit ip any any

object network obj-server

host 192.168.67.17

nat (inside,outside) static 2.2.2.3

As soon as i add the above statements i am able to ping the hosts on the internet but i lose the ability to ping servers on site 1. Can someone help me in this regards.

Thanks

Jeff

thomas.busse · ‎09-24-2013

Hi Jeff,

you need to add a NAT exemption for your VPN traffic, otherwise all your traffic directed to the outside is NATed to 2.2.2.3.

Try to add the following:

object network obj-192.168.67.0

subnet 192.168.67.0 255.255.255.0

object network obj-192.168.16.0

subnet 192.168.67.0 255.255.255.0

nat (any,outside) source static obj-192.168.67.0 obj-192.168.67.0 destination static obj-192.168.16.0 obj-192.168.16.0

Greetings,

Thomas