03-29-2007 12:30 PM - edited 03-09-2019 05:42 PM
Hi All,
I have set up and L2L vpn between my host site and a small two person office using my asa 5510 and a little netgear vpn router. I wish for the users to have to come to the head office for internet. I can access all the resources and such but the internet is not working from the site. I have made sure I have the same-security-traffic permit intra-interface command on my asa. Maybe I am missing a route? Can someone point me in the right direction?
TIA,
R
Solved! Go to Solution.
03-29-2007 01:00 PM
Yes...
global (outside) 1 x.x.x.1
global (outside) 10 x.x.x.2
global (outside) 20 x.x.x.3
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 10 192.168.10.0 255.255.255.0
nat (outside) 20 192.168.20.0 255.255.255.0
03-29-2007 12:38 PM
Here ya go...this document is for vpn client but is same for l2l. It is called public internet on a stick.
03-29-2007 12:41 PM
Thank you for your response. I think I may have an issue with this.
If I apply the command:
split-tunnel-policy tunnelall
How will this affect my normal vpn clients who do infact use split tunneling to access the internet via their local gateway? i already have the following in my config:
split-tunnel-policy tunnelspecified
Will this negatively affect my current setup?
thanks
03-29-2007 12:44 PM
You should be able to create a separate group policy, apply that group policy to the l2l tunnel group and configure tunnelall in that group policy only. Make sense? Most likely your remote access vpn clients are on a different policy than your l2l tunnel anyway.
03-29-2007 12:55 PM
Actually, my mistake, since the document is for remote access vpn, it uses split tunnel policy. But since you have a l2l tunnel, you will not have to worry about split tunnel policy, you will just have to make sure that all the traffic from the remote end goes over the tunnel :-)
Here are the important parts of the config...
same-security-traffic permit intra-interface
global (outside) 1 172.18.124.166
nat (outside) 1 192.168.10.0 255.255.255.0
03-29-2007 12:58 PM
Ah! I see now. back to pix basics...are you allowed to have more than one global statement?
03-29-2007 01:00 PM
Yes...
global (outside) 1 x.x.x.1
global (outside) 10 x.x.x.2
global (outside) 20 x.x.x.3
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 10 192.168.10.0 255.255.255.0
nat (outside) 20 192.168.20.0 255.255.255.0
03-29-2007 01:09 PM
Thank you very much for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide