12-15-2009 05:29 PM - edited 03-04-2019 06:59 AM
Dear All Expert,
Right now i have some issue for internet connection from Branch to HQ. let me tell you that:
i was configure VPN connection(by Lease Line connecion) from HQ to branch office and the branch office get internet connecion
from HQ( i mean that HQ to share internet to branch). but it does not work!!!!
Note: The branch office can ping to Lan HQ and ASA by VPN connection but the branch office cannot use internet!!!
Could you let me know how can i do on this issue or do you have any command on this?
Please see in the attach file!!!
Best Regards,
Rechard
12-16-2009 12:50 AM
Hello Rechard,
you need to verify where NAT network address translation is performed, it is likely done on the ASA1 ( the one with the internet link).
ASA2 is the one that performs the VPN connection
The device that performs NAT needs:
to know how to reach the IP subnets of branch office to be able to send return traffic.
This by any means, a static route or by taking part into a dynamic routing protocol.
ASA1 needs to know that it has send traffic for IP subnets of branch office to ASA2
to be configured to translate IP addresses of IP subnets of branch office as it is already doing for HQ IP subnet(s).
This requires to extend an ACL on ASA1 the one already used to translate HQ addresses
Hope to help
Giuseppe
12-16-2009 07:50 PM
12-18-2009 01:00 AM
Hello Rechard,
the ASA HQ that handles the internet connection needs to know how to reach net 40.40.40.0/24 and has to be configured to NAT it.
ASA_HQ:
add
route inside 40.40.40.0 255.255.255.0 192.168.1.2
and NAT configuration
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
should be fine
as you can see in this example:
currently ASA HQ has no route for branch site net 40.40.40.0/24
Hope to help
Giuseppe
12-21-2009 05:48 PM
Dear Giuseppe,
Thanks you for your support!!!
i was add route side that you told me but it still the problem.
Do you have any command on this?
Best Regards,
Norung
12-21-2009 05:54 PM
Dear Giuseppe,
Thanks you for your help!!!
I was add route inside on ASA HQ already but it still the problem( i mean the branch cannot access internet)
How about the branch configuretion, we need to add something or not?
Best Regards,
rechard
12-22-2009 02:41 AM
Hello Norung or Rechard,
you may be right that there is something else to change in branch office.
you have currently setup an IPSec tunnel but it is used only for traffic between sites
ip access-list extended LinktoHQ
permit ip 40.40.40.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 40.40.40.0 0.0.0.255 10.10.10.0 0.0.0.255
and you have on your branch router a default route pointing to ASA2 ip address
ip route 0.0.0.0 0.0.0.0 30.30.30.1
and on ASA2, the one that connects to remote branch:
access-list branchoffice extended permit ip 20.20.20.0 255.255.255.0 40.40.40.0 255.255.255.0
access-list branchoffice extended permit ip 10.10.10.0 255.255.255.0 40.40.40.0 255.255.255.0
IP traffic coming from the branch with an internet destination is sent in clear on the link between ASA2 and branch router.
But this is not a problem for routing.
Probably the problem is still in ASA1 the one connected to the internet.
Try to access the internet from an ip address in 40.40.40.x.
on ASA 1 the one connected to the internet use:
sh xlate | inc 40.40.40.x
this is to check that NAT is working on ASA1 for ip addresses of branch office
if you don't see any entry, you need to verify IP connectivity from net 40.40.40/24 to ASA1 inside.
on ASA1 tries ping 40.40.40.x
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide