ā12-08-2017 06:42 AM - edited ā03-12-2019 04:48 AM
Hello guys,
I have Cisco firewall ASA 5505 (CLI:ASA Version 8.2(2); ASDM version: 6.2(5)).
We had configure VPN (site to site) toward the customs agency. They sent me private LAN and settings we to configure in ours firewall. The problem is: when we settings up computer from ours inside network with their settings, VPN (l2l) works fine, but computer has not internet access. When I configure NAT (dynamic, static and so on) the computers have internet access, but VPN (l2l) does not work.
I read a lot on the theme, but I can't cope with the problem.
Could you please help me!
I can send the ASA configuration file if it need.
Thanks in advance.
ā12-08-2017 07:36 AM
Kiro,
Is your device configured for Split Tunneling?
ā12-08-2017 07:47 AM
Basically you should have an ACL allowing the traffic that needs to be encrypted (origem you network, destination other VPN side network), everything else should go to the internet.
NAT will necessary for internet access, what can be done is a NAT exempt on the VPN traffic.
Please, share the ASA config.
-If I helped you somehow, please, rate it as useful.-
ā12-11-2017 01:17 AM
ā12-11-2017 06:08 AM
Hello @kiro_gar8000,
Based on your configuration, you want to reach a host on the other end through the VPN tunnel but as per now you are not able to do it, checking the config you are missing the NAT Exemption for the traffic and everything is going to the Internet, you need to add the following:
access-list nat0_dmz extended permit ip 192.168.10.0 255.255.255.0 host 10.30.x.x
With this command you will include your internal subnet in the NAT Exemption and the ASA should send the traffic through the VPN tunnel, if this doesnĀ“t work please share the outputs for the following commands:
debug crypto isakmp 250
debug crypto ipsec 250
packet-tracer input inside icmp 192.168.10.21 8 0 10.30.x.x detailed
HTH
Gio
ā12-12-2017 12:55 AM
I am not sure whether you understand me.
We use two type VPN Tunnels (Remote Access and Site-to-Site).
With Remote Access we have not problems, everything work fine. Remote computers get configuration and become part of our private network. They have VPN connection and Internet.
(access-list elkabel_splittunnel standard permit 192.168.10.0 255.255.255.0)
Site-to-Site VPN tunnel also work fine. Computers from inside network with following settings:
IP: 192.168.114.x
Mask: 255.255.255.x
Gateway: 192.168.114.x
(interface Vlan4)
realize VPN connection, but they have not Internet with this settings. When I NATing interface Vlan4, computers have Internet, but VPN connection does not work.
If you understood right this, and your recommendations are the same I will try this.
I waiting your answer.
Thank you for your opinion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide