06-06-2020 01:50 PM
I'm pulling my hair out here. I have a HQ site, and branch site each with an ASA. Site to site works fine. I had local natting on each, and clients could access the internet using their local internet connection.
I want to now FULLY tunnel the branch so all internet goes out via HQ's connection. It seems there are tons of examples here and other places but none seem to show a topology that makes sense to me on how to implement this.
I turned off NAT at the branch, and opened the VPN connection profile to have remote network ANY. I assume that makes all traffic hit the tunnel.
On the HQ site, I enabled "traffic between two or most hosts on the same interface" -- then setup a NAT rule outside, outside, source BR-LAN1, BR-LAN2, destination any.
Not sure what simple piece i"m missing here!
06-06-2020 02:02 PM
06-06-2020 02:08 PM
06-06-2020 09:25 PM
The crypto acl on HQ SITE must be exact replica of branch site. For example
If crypto acl on branch is: permit ip 10.20.1.0/24 to any
Then on HQ SIDE it must be : permit ip any 10.20.1.0/24
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide