Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

I have vpn LAN to LAN and vpns are working correctly. I have access from LAN to LAN. But I cant access Internet from vpn peers.

I added

nat (outside) 1 access-list VPN-NAT

access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 any

and I can go to internet - OK

but after so I dont have access between LAN-LAN, because

I nat all traffic.

I cant add:

access-list VPN-NAT extended deny ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

Because DENY is not permitted in NAT

Anyone know how to solve this tricky problem?

THX

Laptom

  • Other Security Subjects
7 REPLIES

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

hello,

You need to do the following:

1) restrict the VPN-NAT ACL (for IPSEC) to particular source and destination subnets. do not use any here. eg

access-list VPN-NAT extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0

where 172.16.0.0 is the destination subnet on IPSEC.

do a nonat for this:

nat (outside) 0 access-list VPN-NAT

2) apply all other traffic to internet....

access-list INT extended permit ip 10.0.0.0 255.0.0.0 any

nat (outside) 1 access-list INT

By doing this, any traffic for 172.16.x.x will go through the IPSEC and any other traffic to internet will be natted and passed to the internet cloud.

Hope this helps.. rate replies if found useful...

Raj

New Member

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

THX a lot, Your solution was OK.

Laptom

New Member

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

I have one problem. I have access from vpn to the internet, everything is OK expept:

I still cant ping from vpns to the internet.

Laptom

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

Laptom,

Are you blocking ICMP by any chance ? you need to give access on the firewall for echo & echo reply on the outside interface.

what are u trying to ping on the internet? the router or some other component?? rate replies if found useful...

Raj

New Member

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

I have:

access-list FROM-OUT extended permit icmp any any

access-group FROM-OUT in interface outside

So there is no option to block icmp.

I can ping internet from inside.

I ping for expample: ping 66.249.85.104 (www.google.com) and from Vpn there is no answer. All traffic from vpn is OK.

THX

Laptom

New Member

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

Sorry, I also can't ping internet from inside.

Laptom

New Member

Re: HOW TO ACCESS INTERNET FROM LAN-to-LAN VPN

I added:inspect icmp and ping is working corecly, which treats ICMP connections as stateful connections.

policy-map global_policy

class inspection_default

inspect icmp

103
Views
10
Helpful
7
Replies