Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1637
Views
0
Helpful
5
Replies

Cisco ASA 5505 site to site vpn with internet

kiro_gar8000
Level 1
Level 1

ā€Ž12-08-2017 06:42 AM - edited ā€Ž03-12-2019 04:48 AM

Hello guys,

I have Cisco firewall ASA 5505 (CLI:ASA Version 8.2(2); ASDM version: 6.2(5)).

We had configure VPN (site to site) toward the customs agency. They sent me private LAN and settings  we to configure in ours firewall. The problem is: when we settings up computer from ours inside network with their settings, VPN (l2l) works fine, but computer has not internet access. When I configure NAT (dynamic, static and so on) the computers have internet access, but VPN (l2l) does not work.

I read a lot on the theme, but I can't cope with the problem.

Could you please help me!

I can send the ASA configuration file if it need.

 

Thanks in advance.

 

 

Labels:
0 Helpful
5 Replies 5

Rich Uline
Level 1
Level 1

ā€Ž12-08-2017 07:36 AM

Kiro,

Is your device configured for Split Tunneling?

0 Helpful

Flavio Miranda
VIP
VIP

ā€Ž12-08-2017 07:47 AM

Hi @kiro_gar8000

Basically you should have an ACL allowing the traffic that needs to be encrypted (origem you network, destination other VPN side network), everything else should go to the internet.

 NAT will necessary for internet access, what can be done is a NAT exempt on the VPN traffic.

 Please, share the ASA config.

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

kiro_gar8000
Level 1
Level 1
In response to Flavio Miranda

ā€Ž12-11-2017 01:17 AM

Hello,

I send you my ASA configuration file.

Preview file
29 KB
0 Helpful

GioGonza
Level 4
Level 4
In response to kiro_gar8000

ā€Ž12-11-2017 06:08 AM

Hello @kiro_gar8000

 

Based on your configuration, you want to reach a host on the other end through the VPN tunnel but as per now you are not able to do it, checking the config you are missing the NAT Exemption for the traffic and everything is going to the Internet, you need to add the following: 

 

access-list nat0_dmz extended permit ip 192.168.10.0 255.255.255.0 host 10.30.x.x

 

With this command you will include your internal subnet in the NAT Exemption and the ASA should send the traffic through the VPN tunnel, if this doesnĀ“t work please share the outputs for the following commands: 

 

debug crypto isakmp 250

debug crypto ipsec 250

packet-tracer input inside icmp 192.168.10.21 8 0 10.30.x.x detailed

 

HTH

Gio

0 Helpful

kiro_gar8000
Level 1
Level 1
In response to GioGonza

ā€Ž12-12-2017 12:55 AM

I am not sure whether you understand me.

We use two type VPN Tunnels (Remote Access and Site-to-Site).

With Remote Access we have not problems, everything work fine. Remote computers get configuration and become part of our private network. They have VPN connection and Internet.

(access-list elkabel_splittunnel standard permit 192.168.10.0 255.255.255.0)

 

Site-to-Site VPN tunnel also work fine. Computers from inside network with following settings:

IP: 192.168.114.x

Mask: 255.255.255.x

Gateway: 192.168.114.x

(interface Vlan4)

realize VPN connection, but they have not Internet with this settings. When I NATing interface Vlan4, computers have Internet, but VPN connection does not work.

If you understood right this, and your recommendations are the same I will try this.

I waiting your answer.

Thank you for your opinion.

 

0 Helpful
Customers Also Viewed These Support Documents