Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN tunnel, but all internet traffic going via one asa

I have two site which both have a VPN tunnel connected.

I would like Site B to route all internet traffic through Site A internet connection. i.e. The ASA in site A will have to NAT the packet which come from the VPN tunnel of Site B.

I'm sure this is possible, but how would the nat statament look, as the traffic would come from the outside and then be routed out the outside.

Thanks

10 REPLIES

Site to Site VPN tunnel, but all internet traffic going via one

Site B should have Crypto ACL -- source site B subnet destination -any

Site A should have crypto ACL---  Source any destination Site B subnet

Then NAT on ASA A for site B subnt to go out.

New Member

Site to Site VPN tunnel, but all internet traffic going via one

Is this classed as hair pinning?

I didn't think you can route or/and nat traffic when and going from same interface?????

Hall of Fame Super Silver

Re: Site to Site VPN tunnel, but all internet traffic going via

Yes, it is a 'hairpinning" application. Please see this nice blog post for lots more details. A briefer post talking about this exact application is here.

You will also need to use the command:

same-security-traffic permit intra-interface

New Member

Re: Site to Site VPN tunnel, but all internet traffic going via

Thanks.

Quick question,

Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?

E.g.

my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.

But when they go over the internet to have a source of 192.168.1.0/24?

Thanks.

Hall of Fame Super Silver

Re: Site to Site VPN tunnel, but all internet traffic going via

The answer in general is "yes".

The answer to your specific example is "no" - at least for the bit about how you want them to be seen on the Internet.

192.168.1.0/24 is a private (RFC 1918) netblock and will not be routed on the Internet as-is. Traffic on the Internet must have publicly routable addresses. Typically this is an address (or range of addresses) allocated to you by your ISP (or assigned directly to your company by one of the Regional Internet Registrars if you are big enough to qualify for a provider-independent network).

As far as how they are seen at the peer site within your company, yes - you can translate them into any address you want internally.

New Member

Re: Site to Site VPN tunnel, but all internet traffic going via

Hi Marvin,

Sorry what I meant was...

Is it possible to NAT traffic which is sent from the VPN tunnel to a different address as it leave the source site?

E.g.

my lan is on 192.168.1.0/24 but when the vpn packet go over the vpn link I want them to be seen as a source of 192.168.200.0 /24.

But when they go over the internet to have a source of 192.168.1.0/24 which is then has PAT of the outside public ip address?

Thanks.

Would I need a static cmd?

Does the static cmd take presence over a glocal nat statement?

Thanks

Hall of Fame Super Silver

Re: Site to Site VPN tunnel, but all internet traffic going via

OK, I think I understand what you want.

Site A = 192.168.1.0/24 has a site-site VPN to site B.  All traffic from A-B you want to have 1-1 NAT to map it to 192.168.200.0/24.

Traffic from A to public Internet you want to go over that same A-B VPN tunnel but hairpin at Site B and leave on Site B's Internet connection using the Site B standard PAT public IP. You want the XLATE table in site B's ASA to show a particular flow as being mapped back to the site A 192.168.1.0/24.

Correct?

I think this should work, but am a bit far out along this logic branch.

You want an implementation of what's known as policy NAT at the Site B end of your VPN tunnel. Basically, "if destination is at site B, NAT one way. if destination is on the public Internet NAT another way"

Have a look at this CSC document or consult the Google for other examples of policy NAT.

New Member

Re: Site to Site VPN tunnel, but all internet traffic going via

Thanks,

I don't no about the xlate as I have not used it before.

But both lans are on the same subnet therefore they cannot communicate but I can add a static cmd which translates the address so both can ping using a static nat.

But I also would like all internet traffic from a certain host on site B to access the internet from site A. And all others host from site B to access internet via local public interface, I will try what you've said and let you know.

Thanks

New Member

Re: Site to Site VPN tunnel, but all internet traffic going via

Hi,

Refereing to my first question.

I understand the crypo map and nat outside statments.

Site B should have Crypto ACL -- source site B subnet destination -any

Site A should have crypto ACL---  Source any destination Site B subnet

Then NAT on ASA A for site B subnt to go out.

(outside, outside) 1 Site B intenal lan address

But would I need to NAT 0 any traffic, I guess on site B I would have to nat exempt the internet traffic going through the tunnel but how about on site A. As there is a static NAT would I need to nat exempt traffic from source internet and destination site B. i.e. have both nat exempt and static?

If I would to which nat 0 would i use, source internet destination site B, or would it be source outside interface ip address destination site B as the packets are natted by the outside interface on site A?

Thank you.

New Member

Re: Site to Site VPN tunnel, but all internet traffic going via

OK,

I worked it out.

I was wondering, what is the benfit if I put the nonat statement in site A. I access the internet with the nonat command in or taken off. How comes it still works with the nonat cmd taken off?

Thanks

5045
Views
0
Helpful
10
Replies