03-15-2022 12:43 PM
I have configured my remote Cisco ASA to reach a specific host on HQ. Two host on each site is reachable via IPSEC Tunnel. My internet access however is via my default route to my ISP on my remote Cisco ASA.
I'm trying to access internet via IPSEC Tunnel from my HQ (Fortigate IPSec tunnel configured as share local) and not my default route.
I have tried adjusting my ACL on ASA from permit 10.0.0.0/24 11.0.0.0/24 to permit 10.0.0.0/24 any and removing default route and replacing it with only the HQ's public ip address with my ISP as my next hop.
How can I achieve this?
03-15-2022 02:07 PM
Hello,
--> I'm trying to access internet via IPSEC Tunnel from my HQ (Fortigate IPSec tunnel configured as share local) and not my default route.
I am not sure I understand what you are trying to accomplish...
Post a topology diagram and indicate which host on which device (Fortigate or ASA) wants to access the Internet from where (Fortigate or ASA).
03-15-2022 02:31 PM
03-15-2022 03:37 PM
Hello,
not sure why adding all IP addresses to the crypto map access list doesn't work/ Can you post the running config of your ASA ?
Make sure you have the below in your config:
oject network ASA_SUBNET
subnet 10.0.0.0 255.255.255.0
!
object network FORTIGATE_SUBNET
subnet 11.0.0.0 255.255.255.0
!
access-list ASA_TO_FORTINET permit ip object ASA_SUBNET object FORTIGATE_SUBNET
!
nat (inside,outside) source static ASA_SUBNET ASA_SUBNET destination static FORTIGATE_SUBNET FORTIGATE_SUBNET
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide