Hello every one,
I set up vpn site to site and its work fine so by default the internet is not allowed because only allowed tunneled traffic.if this correct??
so if I want to allow users in my site A to use only one website like us yahoo.com and also keep my tunnel with site B.
is best scenario to use same interface (outside) or add another one?
if yes what I suppose to add in my asa5525
this initial for site-to-site
ip address 18.104.22.168 255.255.255.252
ip address 22.214.171.124 255.255.255.0
object network NETWORK_OBJ
access-list vpn-tunnle extended permit ip host 126.96.36.199 host 188.8.131.52
object network OBJ
nat (inside,outside) dynamic 184.108.40.206
route outside 0.0.0.0 0.0.0.0 220.127.116.11
No that’s not quite accurate, just because you have a VPN doesn’t nessarily mean that internet access would be denied. At a minimum for internet access you need a NAT rule to NAT internal networks behind the ASA.
You could permit traffic based on domain name/FQDN, here is a guide.
You've got a NAT rule and you are NATTING your internal network behind an IP address that doesn't belong to your ASA - do you have a route on the upstream router pointing to the ASA for that IP address?
Try changing to NAT to your outside interface IP address.
object network OBJ-18.104.22.168-24
no nat (inside,outside) dynamic 22.214.171.124
nat (inside,outside) dynamic interface
If that still doesn't work, run packet-tracer from the CLI again and provide the full output.