Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
10
Helpful
5
Replies

ASA 5505 Site to Site With internet

Go to solution
bughatti
Level 1
Level 1

‎12-07-2017 09:42 AM - edited ‎02-21-2020 06:55 AM

I have a need for a site to site vpn tunnel and for internet at both sites.  I am using asa 9.2 with asdm 7.  I feel more comfortable in ASDM.  I have tried a few configs that have not worked.  Site A is 172.28.1.0 and Site B is 10.55.55.0  I have services in Site B that need to be accessed by Site A but both sites need web traffic to the internet from its own location.  I also have a stream at site B that is unicast to Site A.  Each site I have objects created for LAN which is local lan and REMOTE-LAN which is remote lan from its location.  Any guidance on commands would be very appreciated.  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to bughatti

‎01-05-2018 05:45 AM

Hello @bughatti

 

The configuration for S2S is OK, I just saw a problem with the NAT Exemption since the line is below the PAT for the Internet so the traffic is flowing through the Internet and not through the VPN tunnel, you need to make that change on both ASAs, apply the following commands: 

 

Site 1:

no nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

 

Site 2: 

no nat (inside,outside) source static LAN LAN destination static Remote_LAN Remote_LAN no-proxy-arp route-lookup

nat (inside,outside) 1 source static LAN LAN destination static Remote_LAN Remote_LAN no-proxy-arp route-lookup

 

With this change test the connection and verify if everything works fine, if it doesn´t get the outputs for the following debugs: 

 

debug crypto isakmp 250

debug crypto ipsec 250

 

Let me know how it goes, also @Kornelia Gutierrez Long time no see :)

 

HTH

Gio

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Kornelia Gutierrez
Level 1
Level 1

‎12-14-2017 10:53 AM

Hello Bughatti,

 

Could you please share the configuration you had set up in both ends, also is the tunnel up? 

When you say that they need to have access to the internet, could you explain if the sites need to access the internet locally or using the vpn tunnel?

 

Go to solution
bughatti
Level 1
Level 1
In response to Kornelia Gutierrez

‎01-04-2018 11:47 PM

Sorry for the long time in response, very busy.  I have attached both sites in text files, cleaned up.  

A quick update, I am not located at the sites anymore, I only have remote access to them through teamviewer on a windows host behind each ASA.  When we left the locations a couple weeks ago we had things working.  The VPN handled all internal traffic that was needed and all machines behind each site had internet through its own gateway with a nat exempt rule.  Unfortunately the SAT carrier at 1 end had to change the IP address due to routing issues.  After the change, I have been unable to establish a phase 1 vpn connection, even though each ASA can ping the others outside interface. I have deleted the vpn info on both and re created them exactly with the vpn wizard.  I have run 'sh cry ips sa and I get no sas.  I have followed a few guides that say to make sure you ping something internal on the other end when bringing up the vpn, that can help establish phase 1.  That did not work.  As of now I cannot get a phase 1 connection.  Any help is greatly appreciated. 

Preview file
11 KB
Preview file
11 KB
0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to bughatti

‎01-05-2018 05:45 AM

Hello @bughatti

 

The configuration for S2S is OK, I just saw a problem with the NAT Exemption since the line is below the PAT for the Internet so the traffic is flowing through the Internet and not through the VPN tunnel, you need to make that change on both ASAs, apply the following commands: 

 

Site 1:

no nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

 

Site 2: 

no nat (inside,outside) source static LAN LAN destination static Remote_LAN Remote_LAN no-proxy-arp route-lookup

nat (inside,outside) 1 source static LAN LAN destination static Remote_LAN Remote_LAN no-proxy-arp route-lookup

 

With this change test the connection and verify if everything works fine, if it doesn´t get the outputs for the following debugs: 

 

debug crypto isakmp 250

debug crypto ipsec 250

 

Let me know how it goes, also @Kornelia Gutierrez Long time no see :)

 

HTH

Gio

0 Helpful

Go to solution
bughatti
Level 1
Level 1
In response to GioGonza

‎01-05-2018 10:52 PM

So this indeed fixed the issue, I will mark as resolved.  But I have a question about this, I have done no NAT/Firewall/VPN CLI commands on either of the ASA's.  When setting up the VPN I used the site to site wizard.  Using the wizard, what would have caused a misplacement of the NAT rules, is this a bug?

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to bughatti

‎01-09-2018 05:56 AM

Hello @bughatti

 

If you used the VPN Wizard over ASDM and you selected the option to add the NAT Exemption, the ASA will place the rule at the end of the NAT statements since that´s default behavior, in your case below the PAT for Internet. 

 

But if you already had the configuration and you didn´t select to add the NAT exemption through the wizard that is something we need to look at. 

 

HTH

Gio

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card