07-22-2015 03:05 AM - edited 03-11-2019 11:18 PM
Hi,
We use the private space 10.0.0.0/8 for our corporate inside resources. One of our office has 10.29.0.0/16.
We created a Site-2-site connection between 2 ASA between corporate network and office. This VPN works fine. From our corporate network we can reach resources at the remote offices and vice versa.
However, clients from the remote office cannot reach Internet. I know it is an issue with overlapping segments, but I need some advice how to best resolve this.
Remote office:
ASA version: 9.1.2
10.29.0.0/16
Inside interface has 10.29.255.1/24 and is used as default gateway for clients in the remote office. Inside interface is connected to a L3 switch, wihich has an interface 10.29.255.254. So the the 10.29.255.0/24 segment acts as a transport segment between the L3 switch and ASA.
Simulations using the packet tracer shows sucessful access for internal clients to Internet resources.
Partial config:
!
object network CORP-ALL
subnet 10.0.0.0 255.0.0.0
!
object network OFFICE
subnet 10.29.0.0 255.255.0.0
!
access-list outside_cryptomap extended permit ip object OFFICE object CORP-ALL
nat (inside,outside) source static OFFICE OFFICE destination static CORP-ALL CORP-ALL no-proxy-arp route-lookup
!
route outside 0.0.0.0 0.0.0.0 [ISP IP] 1
route inside 10.29.0.0 255.255.0.0 10.29.255.254 1
!
No other acl's present than defaults
So, basically, the gateway/ASA inside IP is part of the NAT config and will not allow outside internet traffic. What is the best way to solve?
What I was thinking of was to a new network object that includes the local subnet but excludes the transfer segment, i.e range 10.29.0.1 - 10.29.254.254, and use that in the nat statement. So:
!
object network OFFICE-2
range 10.29.0.1 10.29.254.254
!
nat (inside,outside) source static OFFICE-2 OFFICE-2 destination static CORP-ALL CORP-ALL no-proxy-arp route-lookup
!
Any input?
07-22-2015 07:03 AM
From what you have described, i understand that the remote office is configured to access corporate office resources over VPN and rest of the internet traffic will flow without VPN tunnel.
>> You can check if ASA is able to ping the internet.
>> If ASA can ping internet then check if ASA is configured to NAT all the internet bound traffic.
In case you do not have any NAT, then you can try using interface based auto nat.
Sample conifg:
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat(inside,outside) dynamic interface.
>> Also ensure you have inspection for ICMP enabled.
>> If inspection for icmp is not present then you can use command:
fixup protocol icmp
>> Also attach the packet tracer output from ASA.
Thanks,
R.Seth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide