11-12-2020 09:05 AM
All
We have a remote site (c1111) that has a S-2-S vpn to ASA (asa9-12-4-4-smp-k8.bin).
topology: Remote site: Cisco 1111 - Internet (vpn) - ASA - Internet
The VPN works but access to Internet does not.
Remote-Site config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key (pwd) address (ASA peer ip)
!
!
crypto ipsec transform-set me esp-3des esp-sha-hmac
mode tunnel
!
crypto map me_VPN 10 ipsec-isakmp
set peer (ASA peer ip)
set transform-set me
match address ACL_me_VPN
!
ip access-list extended ACL_me_VPN
permit ip 10.1.2.0 0.0.0.255 any
permit ip 10.1.3.0 0.0.0.255 any
permit ip 10.2.250.0 0.0.0.255 any
!
!
!
!
!
interface Loopback0
ip address 10.2.250.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
ip address 7.1.4.9 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
crypto map me_VPN
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 10.1.3.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 10.1.2.1 255.255.255.0
ip helper-address 10.x.x.251
ip helper-address 10.x.x.116
ip helper-address 10.x.x.117
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-dense-mode
ip tcp adjust-mss 1452
!
!
!
!
!
!
ASA side vpn config
crypto map CRYPTO-PUBLIC_VPN 1 match address Remote-Site-ISR1111
crypto map CRYPTO-PUBLIC_VPN 1 set peer 7.1.4.9
crypto map CRYPTO-PUBLIC_VPN 1 set ikev1 transform-set 3DES_SHA
!
!
access-list Remote-Site-ISR1111 extended permit ip any object-group Remote-Site-subnets
!
!
nat (IN,OUT) source static GRP-PRIVATE-IP-rfc1918_PrivateIP GRP-PRIVATE-IP-rfc1918_PrivateIP destination static Remote-Site-subnets Remote-Site-subnets.
!
!
I belive the isue is some sort of nat or nat exempt on remote side but I am at a loss.
Please review and advise.
11-12-2020 09:25 AM
The ASA end needs a "nat (OUT,OUT)" entry to account for the traffic coming from the remote site that hairpins back out to the Internet. Typically this will be a dynamic NAT to the ASA's outside interface address but your local configuration may vary.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide