Solved: How to configure VPN local network to access internet from Remote Network

nyein chan tun · ‎05-06-2011

I configure for our office site to site VPN project. Please see in attach.
Now I configured already Site to site vpn between ASA 5510 and 1841 router.

HQ LAN

                                                                                                                                       Branch LAN
                 10.2.1.0/24 >>> ASA 5510>>>>> 1841 >>> INTERNET <<<<<< 1841 <<<<<< 10.30.3.0/24
                          ^
                         ^
                         ^
                         ^
                Call Manager
                     2851

Now can access from Branch LAN to HQ LAN each other.

I face the problems that are
1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router
2) Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or Can I access Internet from Branch LAN from PH Router directly while access to VPN to HQ LAN ?
3) In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

Please give me advises how should I do.

Mohamed Sobair · ‎05-06-2011

Hi,

1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router

Answer:

You need to setup NAT and hairpinning at the HQ ASA, So that the branch VPN router can access the LAN and U-Turn accessing the Internet from the ASA. You need first to seup NAT for the Branch router subnet on the ASA, second you need to type the command:

same-security-traffic permit intra-interface

Below is an excelent example for VPN client hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

2) Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or Can I access Internet from Branch LAN from PH Router directly while access to VPN to HQ LAN ?

Yes , you can

3) In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

You need to change your Voice VLAN subnet to be different than the HQ IP-Phone VOice VLAn Subnet, it should then be fine.

Regards,

Mohamed

View solution in original post

Mohamed Sobair · ‎05-06-2011

Hi,

1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router

Answer:

You need to setup NAT and hairpinning at the HQ ASA, So that the branch VPN router can access the LAN and U-Turn accessing the Internet from the ASA. You need first to seup NAT for the Branch router subnet on the ASA, second you need to type the command:

same-security-traffic permit intra-interface

Below is an excelent example for VPN client hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

2) Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or Can I access Internet from Branch LAN from PH Router directly while access to VPN to HQ LAN ?

Yes , you can

3) In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

You need to change your Voice VLAN subnet to be different than the HQ IP-Phone VOice VLAn Subnet, it should then be fine.

Regards,

Mohamed

nyein chan tun · ‎06-08-2011

Hi Mohamed,

Please advise me to configure voice vlan on remote site. Currently, we still use only soft phone and it's ok. but for hard phone, it's still not working.

CME in HQ, voice vlan2 is 172.16.1.0/24 and in branch site, should I assign voice vlan2 or other voice vlan ? You suggest me to assign different subnet with HQ vlan , so can i assing 172.16.1.192/29 in branch site, is it overwrite by HQ ? or can i assing other IP 172.16.3.0/24 for branch voice vlan?

How to configure to get dhcp ip for IP phone over VPN ?

Thanks & regard,

Chan