Site to site vpn 1

[boymarty24]

Hi,

I am about to configure a site to site VPN between to ASA. I have no problem setting up the tunnel but i want one ASA to use the HQ ASA as internet gateway. I know this is possible but i havent tried it yet.

Any ideas anyone? If you got any information on Ciscos homepage it would be great.

//Marty

 

[boymarty24]

I assume i need to disable all NAT at my remote asa and change the VPN acl to ANY.

 

[unclerico]

in the crypto ACL used to define the interesting traffic you'll want to do like so:

access-list 101 extended permit ip any any

crypto map <map_name> 10 match address 101

and then bypass NAT:

acess-list nonat extended permit ip any any

nat (inside) 0 access-list nonat

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[boymarty24]

Thx,

How should the crypto ACL look like at HQ?

access-list 101 extended permit ip 1.1.1.1/24 2.2.2.2/24 or?

 

[unclerico]

the crypto ACL at HQ should include all subnets at the remote site that need to be classified as interesting. if you have 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 your ACL would be:
access-list 101 extended permit ip any 192.168.1.0 255.255.255.0
access-list 101 extended permit ip any 192.168.2.0 255.255.255.0
access-list 101 extended permit ip any 192.168.3.0 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[boymarty24]

Hi,

I have no problems getting the vpn tunnel to work but the clients on the remote network don´t have any internet access. I assume it has something to do with NAT at the HQ side but i can´t figure it out.

 

[boymarty24]

I solved it. Added a global outside and now it works like a charm.

Thx buddy!