Forwarding Internet traffic through IPSec Site-to-Site VPN and route through ASA

Mark Thattazhi · ‎09-10-2015

Hi Community,

I have a Site-to-Site VPN established and working between my HQ-office and branch-office.

Now, I am trying to forward all internet traffic at the branch-office to be forwarded through site-to-site vpn tunnel to ASA. And, from ASA to internet.

Branch-office Firewall<====Site-to-Site====>ASA<========>Internet

Branch office Internal ip-address : 172.30.0.1/24

Branch office public ip-address: 2.2.2.2

HQ office public ip-address: 1.1.1.1

Can somebody help me with the configuration and tell me how do I accomplish this.

Thank you.

Boris Uskov · ‎09-10-2015

Hello, Mark.

Yes, this task can be done.

You need:

1. Change crypto access-lists on branch and HQ ASAs.
crypto access-list on branch site should be something like this:
access-list acl-crypto-branch permit ip 172.30.0.0 255.255.255.0 any

crypto access-list on HQ site should be something like this:
access-list acl-crypto-HQ permit ip any 172.30.0.0 255.255.255.0

2. Disable NAT rules on branch ASA (if any)

3. Enable following functions on HQ ASA
same-security-traffic permit intra-interface

4. Configure dynamic NAT rules for 172.30.0.0/24 on HQ ASA. It should be something like this:
object network Branch_net
subnet 172.30.0.0 255.255.255.0
nat (outside_1,outside_1) dynamic interface

Mark Thattazhi · ‎10-04-2015

Hi Boris,

Thank you for your support.

I will try and see if it works.

Kanes Ramasamy · ‎03-26-2018

Hi,

Did the suggested solution work?

If it did not, did you manage to get it to work?

Regards,

Kanes.R