cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1409
Views
5
Helpful
3
Replies
Mark Thattazhi
Beginner

Forwarding Internet traffic through IPSec Site-to-Site VPN and route through ASA

Hi Community,

I have a Site-to-Site VPN established and working between my HQ-office and branch-office.

Now, I am trying to forward all internet traffic at the branch-office to be forwarded through site-to-site vpn tunnel to ASA. And, from ASA to internet.

 

Branch-office Firewall<====Site-to-Site====>ASA<========>Internet

Branch office Internal ip-address : 172.30.0.1/24

Branch office public ip-address: 2.2.2.2

HQ office public ip-address: 1.1.1.1

Can somebody help me with the configuration and tell me how do I accomplish this.

Thank you.

3 REPLIES 3
Boris Uskov
Enthusiast

Hello, Mark.

Yes, this task can be done.

You need:

1. Change crypto access-lists on branch and HQ ASAs.
crypto access-list on branch site should be something like this:
access-list acl-crypto-branch permit ip 172.30.0.0 255.255.255.0 any

crypto access-list on HQ site should be something like this:
access-list acl-crypto-HQ permit ip any 172.30.0.0 255.255.255.0

2. Disable NAT rules on branch ASA (if any)

3. Enable following functions on HQ ASA
same-security-traffic permit intra-interface 

4. Configure dynamic NAT rules for 172.30.0.0/24 on HQ ASA. It should be something like this:
object network Branch_net
 subnet 172.30.0.0 255.255.255.0
 nat (outside_1,outside_1) dynamic interface

Hi Boris,

Thank you for your support.

I will try and see if it works.

Hi,

 

Did the suggested solution work?

If it did not, did you manage to get it to work?

 

Regards,

 

Kanes.R

Content for Community-Ad