11-05-2009 10:26 AM
Hi All,
i have 2 sites configured as L2L VPN's back to my ASA5520. one site is using a PIX525 and the other an ASA5505. i can access all resources on my private netwrok without issue and all traffic from the remote sites is "protected". the issue i'm having is that i cannot ping and external hosts. for example, if i attempt to ping 4.2.2.1 from a host at a remote site it times out. i can ping any resource one my "private" networks at any site without issue. any suggestions? thanks.
Solved! Go to Solution.
11-05-2009 10:36 AM
If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..
1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:
nat (outside) 99
global (outside) 99 interface
same-security-traffic permit intra-interface
Or
2) Set up a default tunnel gateway that points to an internal router that has access to the internet
route inside 0.0.0.0 0.0.0.0
-heather
11-05-2009 12:15 PM
No, you don't need the "outside" keyword at the end of the statement..disregard the warning.
If you already have
global (outside) 1 interface
then just add..
nat (outside) 1 172.24.0.0 255.255.0.0
11-05-2009 10:36 AM
If you're relying on Internet access through the L2L tunnel (because you are tunneling everything), then you need to..
1) Either setup uturn and outside nat for the remote network on the headend ASA so the traffic can leave the same interface it came in on with a public IP address for the Internet:
nat (outside) 99
global (outside) 99 interface
same-security-traffic permit intra-interface
Or
2) Set up a default tunnel gateway that points to an internal router that has access to the internet
route inside 0.0.0.0 0.0.0.0
-heather
11-05-2009 11:44 AM
thanks heather. couple items:
should the command on the core ASA be
nat (outside) 99 172.24.0.0 255.255.0.0 outside?
i receive these warnings on the ASA:
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
i already have a global (outside) 1 interface statement and i can't add another. (global for this range already exists)
thanks.
11-05-2009 12:15 PM
No, you don't need the "outside" keyword at the end of the statement..disregard the warning.
If you already have
global (outside) 1 interface
then just add..
nat (outside) 1 172.24.0.0 255.255.0.0
11-05-2009 12:34 PM
5 points for the first answer too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide