cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
1
Replies

Force all traffic across site-to-site vpn (Cisco ASA to Cisco c1111)

Steve Coady
Level 1
Level 1

All

 

We have a remote site (c1111) that has a S-2-S vpn to ASA (asa9-12-4-4-smp-k8.bin).

 

topology: Remote site: Cisco 1111 - Internet (vpn) - ASA - Internet

 

The VPN works but access to Internet does not.

 

Remote-Site config

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key (pwd) address (ASA peer ip)
!
!
crypto ipsec transform-set me esp-3des esp-sha-hmac
mode tunnel
!
crypto map me_VPN 10 ipsec-isakmp
set peer (ASA peer ip)
set transform-set me
match address ACL_me_VPN

!

ip access-list extended ACL_me_VPN
permit ip 10.1.2.0 0.0.0.255 any
permit ip 10.1.3.0 0.0.0.255 any
permit ip 10.2.250.0 0.0.0.255 any
!

!

!

!

!

interface Loopback0
ip address 10.2.250.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
ip address 7.1.4.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
crypto map me_VPN
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!

!

!

!

!

!

ASA side vpn config

 

crypto map CRYPTO-PUBLIC_VPN 1 match address Remote-Site-ISR1111
crypto map CRYPTO-PUBLIC_VPN 1 set peer 7.1.4.9
crypto map CRYPTO-PUBLIC_VPN 1 set ikev1 transform-set 3DES_SHA
!
!
access-list Remote-Site-ISR1111 extended permit ip any object-group Remote-Site-subnets
!
!
nat (IN,OUT) source static GRP-PRIVATE-IP-rfc1918_PrivateIP GRP-PRIVATE-IP-rfc1918_PrivateIP destination static Remote-Site-subnets Remote-Site-subnets.

!

!

I belive the isue is some sort of nat or nat exempt on remote side but I am at a loss.

 

 

Please review and advise.

 

 

sMc
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA end needs a "nat (OUT,OUT)" entry to account for the traffic coming from the remote site that hairpins back out to the Internet. Typically this will be a dynamic NAT to the ASA's outside interface address but your local configuration may vary.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: