Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

tunnel traffic to Internet over site-to-site vpn

I have a remote site that connects to our corporate network through a site-to-site vpn connection. I can access all networks from the remote site to the corporate site with no issues. However I cannot access the Internet from the remote site. Our Internet connection is on the same ASA 5520 as the VPN connection. Any help on this issue would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: tunnel traffic to Internet over site-to-site vpn

No, no acl is needed.

14 REPLIES
Green

Re: tunnel traffic to Internet over site-to-site vpn

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

This configuration is for a remote access vpn but it is the same for a L2L tunnel. Just make sure to tunnel all traffic then...

same-security-traffic permit intra-interface

global (outside) 1 x.x.x.x

nat (outside) 1

New Member

Re: tunnel traffic to Internet over site-to-site vpn

how would this work if I have a nonat ACL from internal networks to the remote network?

Green

Re: tunnel traffic to Internet over site-to-site vpn

It will work just fine. The local and remote networks will communicate with nat exemption. When the remote network requests something on the internet, they will be tunneled over the vpn and will be pat'd on the outside interface of the local ASA.

New Member

Re: tunnel traffic to Internet over site-to-site vpn

Will I have to modify my crypto ACL to allow local network to any and on the ASA any to the remote local network?

Green

Re: tunnel traffic to Internet over site-to-site vpn

Yes, because all traffic will need to be tunneled from the remote network to access the local lan and the internet.

Local ASA - Any to

Remote ASA - to Any

New Member

Re: tunnel traffic to Internet over site-to-site vpn

Forgive me for being cautious-Last week I was working on this with a TAC engineer when the engineer brought down our Internet access. I'm not sure what happened but I got into a lot of trouble from management.

OK my last stupid question: When I change the ACL to any the tunnel is dropped and I can't communicate with the remote site. How can I get the VPN to come back up with the new ACL addition?

New Member

Re: tunnel traffic to Internet over site-to-site vpn

I added all configurations as suggested but no work for me. How can I troubleshoot. Please HELP!!!

global (Internet) 2 x.x.x.20 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 x.x.x.x 255.255.255.0 <-- remote network ip range

I have all ACL's with the proper network to any or any to network statements and my tunnel is up.

Green

Re: tunnel traffic to Internet over site-to-site vpn

Glad to hear the tunnel is back up.

same-security-traffic permit intra-interface

no nat (Inside) 2 x.x.x.x 255.255.255.0

nat (Internet) 2 x.x.x.x 255.255.255.0

New Member

Re: tunnel traffic to Internet over site-to-site vpn

Just to clarify, if this is my current network.

global (Internet) 2 netmask 255.255.255.192 <-- PAT Interface

nat (Inside) 2 10.2.18.0 255.255.255.0 <-- remote network ip range

Then your config change should be?

no nat (Inside) 2 10.2.18.0 255.255.255.0

nat (Internet) 2 ???.???.??? 255.255.255.0

What IP should the question marks be? (public)

How confident that this change will not affect my Internet connection? Or if a public IP goes where the question marks are then can I use another public IP for PAT?

Green

Re: tunnel traffic to Internet over site-to-site vpn

Tim,

Sorry if I have caused confusion. I took your statements above to mean that...

10.2.18.0/24 is the remote network located at the other end of the tunnel? And that this is the network which you want to allow internet access to from your local ASA?

Is this correct?

If so, your existing nat (inside) 2 10.2.18.0 statement is doing nothing. You will need to nat these clients on the outside interface like so...

nat (Internet) 2 10.2.18.0 255.255.255.0

Maybe it would be better if you could post a config from the main ASA and let us know what the remote network is. Clean passwords/public ip's etc.

New Member

Re: tunnel traffic to Internet over site-to-site vpn

The whole config would take very many pages. I am including the specific config that is for the remote network as it is now without any new changes you suggested. I hope this will shed some light on my config for the remote site.

global (Internet) 1 xx.xxx.xx.10 netmask 255.255.255.192

global (Internet) 2 xx.xxx.xx.20 netmask 255.255.255.192 <-PAT Interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 2 10.2.16.0 255.255.255.0

nat (Inside) 2 10.2.17.0 255.255.255.0

nat (Inside) 2 10.2.18.0 255.255.255.0 <--remote network

route Internet 10.2.18.0 255.255.255.0 xx.xxx.xxx.41 1 <--this is the route pointing to the public ip of the remote site.

access-list Inside_nat0_outbound extended permit ip any 10.2.18.0 255.255.255.0 <--this ACL is very large so i'm only including the remote network.

<--I'm not including the crypto map or tunnel group info-->

access-list Internet_cryptomap_160 extended permit ip any 10.2.18.0 255.255.255.0

Green

Re: tunnel traffic to Internet over site-to-site vpn

Okay. Take a look at the document I posted above. You will notice the following lines...

global (outside) 1 172.18.124.166

nat (outside) 1 192.168.10.0 255.255.255.0

In that example 192.168.10.0 255.255.255.0 is the remote network.

In your case it would look like this...

global (Internet) 2 xx.xxx.xx.20 255.255.255.192

nat (Internet) 10.2.18.0 255.255.255.0

Also, you should not need the route statement you posted above. But I guess if it's not broke, don't fix it.

New Member

Re: tunnel traffic to Internet over site-to-site vpn

I entered the nat (Internet) 10.2.18.0 255.255.255.0 statement and it didn't work to begin with but after a few minutes it started working.

I will confirm again by making sure that all NAT overload configuration is removed from the remote router and have them access the Internet.

Do I need any type of ACL for this?

Thanks a lot for your help.

Green

Re: tunnel traffic to Internet over site-to-site vpn

No, no acl is needed.

255
Views
0
Helpful
14
Replies
CreatePlease to create content