05-02-2010 06:29 PM - edited 03-04-2019 08:20 AM
Dear All,
I have some question to ask you that i have some problem with VPN site to site. let me tell you ...
At HQ i have ASA 5510 (for Internet connection) and Router 2811 link to Branch connection by VPN connection. for Branch we used Router 1841.
So on configuration on cisco 2811 and 1841 when i permit ip any any so the branch can access internet.( i mean that HQ share internet to Branch)
but i when i permit ip and host, the branch cann access to HQ but they cannot access internet.
Could you let me know how can the branch acces internet?
Best Regards,
Rechard
Solved! Go to Solution.
05-05-2010 11:48 PM
No need of any route.
am still waiting for your reply on ACL and it is an important input to the puzzle. If you can answer that we may not need to go thourgh all the troubleshooting.
I will be able to give you any response by tomorrow as few hours from now I will be travelling for whole day.
Regards,
05-02-2010 06:40 PM
Hi,
You want the branch office to have Internet through the site-to-site tunnel or without going through the tunnel?
To allow Internet through the tunnel, the interesting traffic should be from the inside network(s) to any.
To allow Internet without going through the tunnel (in clear-text), the interesting traffic has to be just between inside networks.
Whats' exactly not working?
Federico.
05-03-2010 12:12 AM
Dear Federico,
Thanks you for your question!!!
For internet connection we don't care site to site tunnrel or without VPN tunnel ...
i just need, client at branch can access internet that share from HQ.
Coud you let me know how can i do?
Best Regards,
Rechard
05-02-2010 06:42 PM
Can you share a topology diagram of your network, and also does your ASA firewall include NAT statement for your branch office subnets for internet access, and ASA knows how to route back the traffic towards the LAN-to-LAN tunnel between the 2 routers?
05-03-2010 12:27 AM
Dear halijenn,
Ok, let me show you my diagram and some configuration as below:
On ASA
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 203.289.12.1
route inside 192.168.0.0 255.255.0.0 192.168.11.2
On Core-Switch
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip route 192.168.10.0 255.255.255.0 192.168.12.1
On Router 2811 (HQ)
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip route 192.168.10.0 255.255.255.0 192.168.15.2
ip access-list extended ACL_VPN
permit ip any any
On Branch Router(1841)
ip route 0.0.0.0 0.0.0.0 192.168.15.1
ip access-list extended ACL_VPN
permit ip any any
The configuration as below it is working on share internet from HQ to branch. but when i change access list VPN on router 2811 and 1841 as below it does't work internet but client at brach can access to hq .
On Router 2811 (HQ)
ip route 0.0.0.0 0.0.0.0 192.168.12.2
ip route 192.168.10.0 255.255.255.0 192.168.15.2
ip access-list extended ACL_VPN
permit ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
On Branch Router(1841)
ip route 0.0.0.0 0.0.0.0 192.168.15.1
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
I don't why it doesn't work on internet connection only.
05-03-2010 03:20 AM
drawing didnt came out well, kindly upload it again
and I think conf in red is a typo, as per details provided by you, it should be 12.0. otherwise VPN wonnt come up as ACLs needed to be mirror image of each other
are you using any proxy or every IP is getting NATed at ASA to access internet ?
On Branch Router(1841)
ip route 0.0.0.0 0.0.0.0 192.168.15.1
ip access-list extended ACL_VPN
permit ip 192.168.10.0 0.0.0.255 192.168.112.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
rgds
05-03-2010 06:49 PM
Dear rajatsetia,
Thanks you for your answer!!!
yes, i'm miss take 192.168.112.0 it should be 192.168.12.0.
I don't have proxy,every IP is getting NATed at ASA to access internet.
but it don't work when i permit ip address.
Best Regards,
Rechard
05-04-2010 04:34 AM
Dear Rechard,
Couple of things
- Confirm is ACL-VPN is only used for VPN purpose, not applied on any interface
- to troubleshoot this problem, you can do following things
- create a loopback interface with IP Address outside the IP range of VPN interesting traffic
- troubleshoot hop by hop basis, first create loopback on HQ-Router and try to ping the loopback from branch. Then on HQ-Switch. this way you can pin point where the problem is.
Not able to really think about exact issue, so relying on some basic troubleshooting.
Regards
Rajat
05-04-2010 07:02 PM
Dear rajatsetia,
Thanks you for you advise.
At HQ Router for Wan interface i use 192.168.15.1
should i assign loop ip 192.168.15.200 right?
At Branch Router for Wan interface i use 192.168.15.2
Should i assign loop ip 192.168.15.201 right?
How about ASA do we need to add something on ASA?
Best Regards,
Rechard
05-05-2010 03:19 AM
Hi,
I hope subnet of point to point link - 192.168.15.1/2 is /30. In this case you can use 192.168.15.200 as loopback on HQ router as 15.0 range is not part VPN traffic.
Also please confirm you have not applied any ACL on any of the interface (Branch, HQ Router, Switch, ASA). I hope ACL_VPN is only used for VPN purpose.
Regards.
05-05-2010 03:39 AM
Dear rajatsetia,
it ok for subnet /30 i can change to /24.
could you let me know more about interface loopback, i really not clear loopback when i create interface loop back how it process ( i mean branch can access internet to HQ)
Best Regards,
Rechard
05-05-2010 03:56 AM
Donnt change it to /24, /30 is perfect.
make an interface on HQ router
interface loopback 0
ip address 192.168.15.200 255.255.255.255
exit
then on HQ router - kindly check if you are getting route for this ip
show ip route 192.168.15.200
then try to ping this loopback IP address from branch router
** kindly confirm about the ACL which I asked in mylast two posts.
regards,
05-05-2010 07:43 PM
Dear rajatsetia,
Thanks you for you time and support!!!!
I will follow you to configure inter loop.
and will let you know the result.
Do i need add some route or not?
Best Regards,
rechard
05-05-2010 11:48 PM
No need of any route.
am still waiting for your reply on ACL and it is an important input to the puzzle. If you can answer that we may not need to go thourgh all the troubleshooting.
I will be able to give you any response by tomorrow as few hours from now I will be travelling for whole day.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide