Philip,

jeffkim.cisco · ‎03-28-2017

I have 3 locations.
HQ, Branch A and B.
It is a hub and spoke design where HQ being the hub.
Branch A/B is connected to HQ via IPSec VPN.

If Branch A and B wants to communicate by going through HQ, do I need to configure No NAT statement at each branch?

Thank you,

Philip D'Ath · ‎03-28-2017

Can you give us a hint as to what kind of Cisco devices you are using?

jeffkim.cisco · ‎03-28-2017

Philip,

It is Cisco ASA 5505 at brach and ASA 5520 at HQ

Philip D'Ath · ‎03-28-2017

Yes you need "no-nats". Each branch has to also include the other branch in the encryption domain. And the head off needs a "same-security-traffic permit intra-interface".

jeffkim.cisco · ‎03-28-2017

Philip,

Branch A - local subnet - 10.0.0.0/24, WAN IP - 9.9.9.2 / ISP IP - 9.9.9.1

Branch B - local subnet - 192.168.0.0/24, WAN IP - 99.99.99.2 / ISP IP - 99.99.99.1

HQ - WAN IP - 100.0.0.2 / ISP IP 100.0.0.1

Then on Branch A,

access-list no_nat extended permit 10 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 9.9.9.1 1

route outside 192.168.0.0 0.0.0.255 100.0.0.2

same-security-traffic permit intra-interface

global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0

crypto map VPNmap 10 match address no_nat

and mirror this config at Branch B.

Assuming that site to site VPN tunnel between Branches and HQ are working well.

Thank you so much.

Would this be correct if this is ASA 8.2?

Branch A and Branch B wants to communicate