cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

428
Views
0
Helpful
10
Replies
Highlighted
Beginner

ASA vpn site-to-site


Hello every one,
I set up vpn site to site and its work fine so by default the internet is not allowed because only allowed tunneled traffic.if this correct??
so if I want to allow users in my site A to use only one website like us yahoo.com and also keep my tunnel with site B.

is best scenario to use same interface (outside) or add another one?

if yes what I suppose to add in my asa5525

 

this initial for site-to-site 
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 3.3.3.3 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 4.4.4.4 255.255.255.0


object network NETWORK_OBJ
host 1.1.1.1
access-list vpn-tunnle extended permit ip host 1.1.1.1 host 5.5.5.5


object network OBJ
nat (inside,outside) dynamic 2.2.2.2
route outside 0.0.0.0 0.0.0.0 1.1.1.1

Everyone's tags (1)
10 REPLIES 10
Highlighted
VIP Advisor

Re: ASA vpn site-to-site

Hi,

No that’s not quite accurate, just because you have a VPN doesn’t nessarily mean that internet access would be denied. At a minimum for internet access you need a NAT rule to NAT internal networks behind the ASA.

 

You could permit traffic based on domain name/FQDN, here is a guide.

 

HTH

 

 

Highlighted
Beginner

Re: ASA vpn site-to-site

Thanks for your replay I can ping from asa to 8.8.8.8 but not from PCs I added access list access-list acl-inside extended permit ip any any but not work is this nat ok? object network OBJ nat (inside,outside) dynamic 2.2.2.2
Highlighted
VIP Advisor

Re: ASA vpn site-to-site

If you are testing using ICMP run the command “fixup protocol icmp” to enable icmp inspection, which should permit the icmp traffic.

If that still fails please run the command “show Nat detail” and the full configuration of the asa.

You could also run packet-tracer to simulate the traffic and provide the output for review.
Highlighted
Beginner

Re: ASA vpn site-to-site

thank you again previously I did packet trace packet-tracer input inside icmp local-ip 8 0 8.8.8.8 every thing fine no packet drop. I dont knew why my pcs not connect to internet regarding of nat I did form local-ip to local-ip for tunneled is this the problem ?even in packet-tracer tell me allow
Highlighted
VIP Advisor

Re: ASA vpn site-to-site

Please provide all the information I've asked for
Highlighted
Beginner

Re: ASA vpn site-to-site

I make some change in ip address for security reasons ciscoasa# show nat detail Auto NAT Policies (Section 2) 1 (inside) to (outside) source dynamic OBJ-222.15.80.0-24 222.15.88.191 translate_hits = 657648, untranslate_hits = 0 Source - Origin: 222.15.80.0/24, Translated: 222.15.88.191/32 ciscoasa# show running-config ASA Version 9.1(2) ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 111.0.215.222 255.255.255.252 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 222.15.80.254 255.255.255.0 ! object network NETWORK_OBJ_222.15.88.191 host 222.15.88.191 access-list Test extended permit ip host 222.15.88.191 host 222.15.33.192 logging enable logging timestamp logging buffered informational logging trap informational logging asdm informational logging device-id hostname mtu outside 1500 mtu inside 1500 mtu management 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-713.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network OBJ-222.15.80.0-24 nat (inside,outside) dynamic 222.15.88.191 route outside 0.0.0.0 0.0.0.0 111.0.215.159 1 route inside 222.15.80.0 255.255.255.0 222.15.80.1 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 <--- More ---> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable no snmp-server location no snmp-server contact crypto ipsec ikev1 transform-set OOO esp-3des esp-sha-hmac protocol esp encryption aes-256 protocol esp integrity sha-256 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto map OOO-TUNNEL 555 match address Test crypto map OOO-TUNNEL 555 set eee crypto map OOO-TUNNEL 555 set peer 88.x.x.x crypto map OOO-TUNNEL 555 set ikev1 transform-set OOO crypto map OOO-TUNNEL 555 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map OOO-TUNNEL 555 set security-association lifetime seconds 28800 crypto map OOO-TUNNEL 555 set reverse-route crypto map OOO-TUNNEL interface outside crypto ikev2 policy 2 encryption aes-256 integrity sha256 group 14 <--- More ---> prf sha256 sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 11 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 crypto ikev1 policy 12 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto ikev1 policy 15 <--- More ---> authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 <--- More ---> authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 <--- More ---> authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 <--- More ---> authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 vpn-tunnel-protocol ikev1 group-policy GroupPolicy_88.x.x.x internal group-policy GroupPolicy_88.x.x.x attributes tunnel-group 88.x.x.x type ipsec-l2l tunnel-group 88.x.x.x general-attributes default-group-policy GroupPolicy_88.x.x.x tunnel-group 88.x.x.x ipsec-attributes ikev1 pre-shared-key ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny <--- More ---> inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error ! service-policy global_policy global prompt hostname context
Highlighted
Beginner

Re: ASA vpn site-to-site

find attached I make some change in ip address for security reasons
Highlighted
VIP Advisor

Re: ASA vpn site-to-site

You've got a NAT rule and you are NATTING your internal network behind an IP address that doesn't belong to your ASA - do you have a route on the upstream router pointing to the ASA for that IP address?

 

Try changing to NAT to your outside interface IP address.

object network OBJ-222.15.80.0-24
no nat (inside,outside) dynamic 222.15.88.191
nat (inside,outside) dynamic interface

 If that still doesn't work, run packet-tracer from the CLI again and provide the full output.

Highlighted
Beginner

Re: ASA vpn site-to-site

object network OBJ-222.15.80.0-24 nat (inside,outside) dynamic 222.15.88.191 in actually , I added this NAT for translated private to private for hidden internal ip address in my network. is there any option that lets me keep this NAT for vpn(site-to-site) and add another NAT for use internet?
Highlighted
Beginner

Re: ASA vpn site-to-site

please i need help if any one can solve this problem