I have a Site-to-Site VPN established and working between my HQ-office and branch-office.
Now, I am trying to forward all internet traffic at the branch-office to be forwarded through site-to-site vpn tunnel to ASA. And, from ASA to internet.
Branch office Internal ip-address : 172.30.0.1/24
Branch office public ip-address: 22.214.171.124
HQ office public ip-address: 126.96.36.199
Can somebody help me with the configuration and tell me how do I accomplish this.
Yes, this task can be done.
1. Change crypto access-lists on branch and HQ ASAs.
crypto access-list on branch site should be something like this:
access-list acl-crypto-branch permit ip 172.30.0.0 255.255.255.0 any
crypto access-list on HQ site should be something like this:
access-list acl-crypto-HQ permit ip any 172.30.0.0 255.255.255.0
2. Disable NAT rules on branch ASA (if any)
3. Enable following functions on HQ ASA
same-security-traffic permit intra-interface
4. Configure dynamic NAT rules for 172.30.0.0/24 on HQ ASA. It should be something like this:
object network Branch_net
subnet 172.30.0.0 255.255.255.0
nat (outside_1,outside_1) dynamic interface