Re: ASA - Site to Site - Internet Access

StephenWyker40939 · ‎06-06-2020

I'm pulling my hair out here. I have a HQ site, and branch site each with an ASA. Site to site works fine. I had local natting on each, and clients could access the internet using their local internet connection.

I want to now FULLY tunnel the branch so all internet goes out via HQ's connection. It seems there are tons of examples here and other places but none seem to show a topology that makes sense to me on how to implement this.

I turned off NAT at the branch, and opened the VPN connection profile to have remote network ANY. I assume that makes all traffic hit the tunnel.

On the HQ site, I enabled "traffic between two or most hosts on the same interface" -- then setup a NAT rule outside, outside, source BR-LAN1, BR-LAN2, destination any.

Not sure what simple piece i"m missing here!

Rob Ingram · ‎06-06-2020

Hi,
Does the VPN tunnel even establish between the HQ and Branch after you've amended the crypto map configuration? Provide the output of "show crypto ipsec sa" from both HQ and Branch ASA.
Do you have the command "same-security-traffic permit intra-interface" configured on the HQ site?

StephenWyker40939 · ‎06-06-2020

yes, I can still ping internal servers and workstations from either side after making the change. Yes, for same security.

files attached.

Been playing with packet tracer and it seems that its showing Drop-reason: (acl-drop) Flow is denied by configured rule.

rajk5.cco · ‎06-06-2020

The crypto acl on HQ SITE must be exact replica of branch site. For example

If crypto acl on branch is: permit ip 10.20.1.0/24 to any

Then on HQ SIDE it must be : permit ip any 10.20.1.0/24