Hi,

If I understood you correctly then you want to forward ALL the traffic from the Remote Site to the Central Site and handle the Internet traffic there.

I guess you could define the "interesting traffic" in the L2L VPN configuration ACL / access-list in the following fashion

Branch Router

ip access-list extended

permit ip any

Central ASA

access-list permit ip any

The idea behind the above type of ACLs configurations for the L2L VPN is that for example the Branch Router has a rule that defines that connection coming from the local LAN to "any" destination address should be forwarded to the L2L VPN connection. Therefore it would act in a way the all traffic would be forwarded to the Central Site through the L2L VPN.

I have to say though that the Router side VPN configurations arent most familiar to me as I handle mostly with ASA firewalls (and to some degree still PIX and FWSMs)

I guess on the Central ASA you will be doing PAT translation towards "outside" so that the host can access Internet?

You would probably be doing something like this

object-group network REMOTE-SITE-PAT-SOURCE

network-object

nat (outside,outside) after-auto source dynamic REMOTE-SITE-PAT-SOURCE interface

If you dont want to use the "outside" interface IP address then you will have to create an "object network " for the PAT IP address and use it in the above NAT configuration line instead of the "interface"

Alternative configuration could be

object network REMOTE-SITE-PAT

subnet

nat (outside,outside) dynamic interface

You will also have to enable

same-security-traffic permit intra-interface

To allow the traffic to enter and leave the same interface on the ASA

All of the above are naturally suggestion on what you might have to do. I dont know what kind of configurations you have at the moment.

Hope this helps in some way

- Jouni

Message was edited by: Jouni Forss