09-03-2019 11:51 PM - edited 09-03-2019 11:53 PM
Hi.
I have 2 ASAs at different location.
I want my clients behind ASA2 to connect to ASA1 for internet access.
Currently, the site to site VPN has already been established but the internet simply doesn't flow.
I have also inserted the command into my ASA1
same-security-traffic permit intra-interface
Packet tracer shows that it has no issue too.
Yet it still refuse to budge.
What am I missing ?
09-04-2019 12:30 AM
You need to have NAT and route in place for the remote end IP address to access the Internet using ASA1
Can you post both the side configuration, what give us the client IP address you looking to have access to internetl.?
09-04-2019 01:40 AM - edited 09-05-2019 06:26 PM
Already got them both.
However it simply doesn't work.
What should I do so that clients behind ASA2 can connect to 172.217.160.99 through ASA1?
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
same-security-traffic permit intra-interface
object network obj-local
subnet 10.1.1.0 255.255.255.0
object network obj-remote
subnet 10.1.2.0 255.255.255.0
object network internal-lan
subnet 10.1.1.0 255.255.255.0
access-list VPN-ACL extended permit ip any 10.1.2.0 255.255.255.0
nat (inside,outside-isp) source static obj-local obj-local destination static obj-remote obj-remote
object network internal-lan
nat (inside,outside-isp) dynamic interface
object network obj-remote
nat (outside,outside-isp) dynamic interface
crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 30.30.30.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cisco123
interface GigabitEthernet0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!Configure required network objects
object network obj-local
subnet 10.1.2.0 255.255.255.0
object network obj-remote
subnet 10.1.1.0 255.255.255.0
access-list VPN-ACL extended permit ip 10.1.2.0 255.255.255.0 any
nat (inside,outside-isp) source static obj-local obj-local destination static obj-remote obj-remote
crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 1.1.1.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco123
09-05-2019 02:02 AM
The below configuration is what you need.
ASA-01
----This is for your Local Network at the HO----
object network LAN
nat (INSIDE,OUTSIDE) dynamic interface
----This is for the VPN Exemption ____
nat (INSIDE,OUTSIDE) source static any any destination static REMOTE REMOTE no-proxy-arp
---This is for Remote network internet access Hair-pining-----
nat (OUTSIDE,OUTSIDE) source dynamic REMOTE interface
---The access list need to include all traffic to TUNNEL so access-list looks like ----
access-list VPN extended permit ip any 10.1.2.0 255.255.255.0
!
ASA-02
----The access list for the TUNNEL mirrored of ASA-01 -----
access-list VPN extended permit ip 10.1.2.0 255.255.255.0 any
---- No NAT Policy at the ASA-02----
Along with this you should have all the necessary crypto configuration and routing in place and you are good to go.
Do let me know if you still having issue?
Bhaggu.
09-05-2019 07:48 PM
do i need static routes for it ?
09-05-2019 08:15 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide