Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3598
Views
0
Helpful
5
Replies

ASA site to site VPN no internet access

dylan.su18@gmail.com
Level 1
Level 1

‎09-03-2019 11:51 PM - edited ‎09-03-2019 11:53 PM

Hi.

 

I have 2 ASAs at different location.

I want my clients behind ASA2 to connect to ASA1 for internet access.

 

Currently, the site to site VPN has already been established but the internet simply doesn't flow.


I have also inserted the command into my ASA1

same-security-traffic permit intra-interface

Packet tracer shows that it has no issue too.

 

Yet it still refuse to budge.

 

What am I missing ?

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎09-04-2019 12:30 AM

You need to have NAT and route in place for the remote end IP address to access the Internet using ASA1

 

Can you post both the side configuration, what give us the client IP address you looking to have access to internetl.?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dylan.su18@gmail.com
Level 1
Level 1
In response to balaji.bandi

‎09-04-2019 01:40 AM - edited ‎09-05-2019 06:26 PM

Already got them both.

However it simply doesn't work.

 

What should I do so that clients behind ASA2 can connect to 172.217.160.99 through ASA1?

 

ASA1

interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0

 

same-security-traffic permit intra-interface

 

object network obj-local
subnet 10.1.1.0 255.255.255.0
object network obj-remote
subnet 10.1.2.0 255.255.255.0
object network internal-lan
subnet 10.1.1.0 255.255.255.0

 

access-list VPN-ACL extended permit ip any 10.1.2.0 255.255.255.0

 

nat (inside,outside-isp) source static obj-local obj-local destination static obj-remote obj-remote

 

object network internal-lan
nat (inside,outside-isp) dynamic interface

 

object network obj-remote
nat (outside,outside-isp) dynamic interface

 

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 30.30.30.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cisco123

 

 

 

ASA2

interface GigabitEthernet0
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0

!Configure required network objects

object network obj-local
subnet 10.1.2.0 255.255.255.0
object network obj-remote
subnet 10.1.1.0 255.255.255.0

 

access-list VPN-ACL extended permit ip 10.1.2.0 255.255.255.0 any

 

nat (inside,outside-isp) source static obj-local obj-local destination static obj-remote obj-remote

 

crypto ipsec ikev1 transform-set TRSET esp-aes esp-md5-hmac
crypto map VPNMAP 10 match address VPN-ACL
crypto map VPNMAP 10 set peer 1.1.1.1
crypto map VPNMAP 10 set ikev1 transform-set TRSET
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco123

0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to dylan.su18@gmail.com

‎09-05-2019 02:02 AM

The below configuration is what you need. 

 

 

ASA-01


----This is for your Local Network at the HO----

object network LAN
nat (INSIDE,OUTSIDE) dynamic interface
----This is for the VPN Exemption ____

nat (INSIDE,OUTSIDE) source static any any destination static REMOTE REMOTE no-proxy-arp

---This is for Remote network internet access Hair-pining-----

nat (OUTSIDE,OUTSIDE) source dynamic REMOTE interface

 

---The access list need to include all traffic to TUNNEL so access-list looks like ----
access-list VPN extended permit ip any 10.1.2.0 255.255.255.0
!


ASA-02

 

----The access list for the TUNNEL mirrored of ASA-01 -----

access-list VPN extended permit ip 10.1.2.0 255.255.255.0 any

 

---- No NAT Policy at the ASA-02----

 

 

Along with this you should have all the necessary crypto configuration and routing in place and you are good to go. 

 

 

Do let me know if you still having issue? 

 

 

Bhaggu.

0 Helpful

dylan.su18@gmail.com
Level 1
Level 1
In response to bhargavdesai

‎09-05-2019 07:48 PM

do i need static routes for it ?

0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to dylan.su18@gmail.com

‎09-05-2019 08:15 PM

Default route will do on both side.

Route OUTSIDE 0 0 1.1.1.254

Bhaggu
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card