cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
260
Views
0
Helpful
1
Replies
Highlighted
Beginner

Force all traffic across site-to-site vpn (Cisco ASA to Cisco c1111)

All

 

We have a remote site (c1111) that has a S-2-S vpn to ASA (asa9-12-4-4-smp-k8.bin).

 

topology: Remote site: Cisco 1111 - Internet (vpn) - ASA - Internet

 

The VPN works but access to Internet does not.

 

Remote-Site config

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key (pwd) address (ASA peer ip)
!
!
crypto ipsec transform-set me esp-3des esp-sha-hmac
mode tunnel
!
crypto map me_VPN 10 ipsec-isakmp
set peer (ASA peer ip)
set transform-set me
match address ACL_me_VPN

!

ip access-list extended ACL_me_VPN
permit ip 10.1.2.0 0.0.0.255 any
permit ip 10.1.3.0 0.0.0.255 any
permit ip 10.2.250.0 0.0.0.255 any
!

!

!

!

!

interface Loopback0
ip address 10.2.250.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
ip address 7.1.4.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
crypto map me_VPN
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!

!

!

!

!

!

ASA side vpn config

 

crypto map CRYPTO-PUBLIC_VPN 1 match address Remote-Site-ISR1111
crypto map CRYPTO-PUBLIC_VPN 1 set peer 7.1.4.9
crypto map CRYPTO-PUBLIC_VPN 1 set ikev1 transform-set 3DES_SHA
!
!
access-list Remote-Site-ISR1111 extended permit ip any object-group Remote-Site-subnets
!
!
nat (IN,OUT) source static GRP-PRIVATE-IP-rfc1918_PrivateIP GRP-PRIVATE-IP-rfc1918_PrivateIP destination static Remote-Site-subnets Remote-Site-subnets.

!

!

I belive the isue is some sort of nat or nat exempt on remote side but I am at a loss.

 

 

Please review and advise.

 

 

sMc
1 REPLY 1
Highlighted
Hall of Fame Guru

The ASA end needs a "nat (OUT,OUT)" entry to account for the traffic coming from the remote site that hairpins back out to the Internet. Typically this will be a dynamic NAT to the ASA's outside interface address but your local configuration may vary.

Content for Community-Ad