cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1251
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to configure VPN local network to access internet from Remote Network

I configure for our office site to site VPN project. Please see in attach.
              Now I configured already  Site to site vpn between ASA 5510 and 1841 router.

               HQ LAN                              

                                                                                                                                       Branch LAN
                 10.2.1.0/24 >>> ASA 5510>>>>> 1841 >>> INTERNET <<<<<< 1841 <<<<<< 10.30.3.0/24
                          ^
                         ^
                         ^
                         ^
                Call Manager
                     2851


Now can access from Branch LAN to HQ LAN each other.

I face the problems that are 
1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router
2)  Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or  Can I access Internet from Branch LAN from PH Router directly while  access to VPN to HQ LAN ?
  3)  In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

Please give me advises how should I do.
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Hi,

1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router

Answer:

You need to setup NAT and hairpinning at the HQ ASA, So that the branch VPN router can access the LAN and U-Turn accessing the Internet from the ASA.  You need first to seup NAT for the Branch router subnet on the ASA, second you need to type the command:

same-security-traffic permit intra-interface

Below is an excelent example for VPN client hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


2)  Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or  Can I access Internet from Branch LAN from PH Router directly while  access to VPN to HQ LAN ?

Yes , you can


  3)  In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

You need to change your Voice VLAN subnet to be different than the HQ IP-Phone VOice VLAn Subnet, it should then be fine.

Regards,

Mohamed

View solution in original post

2 REPLIES 2
Highlighted
Rising star

Hi,

1) In branch LAN , they can access HQ LAN & resource , but cannot access internet. I didn't configure NAT on PH Router

Answer:

You need to setup NAT and hairpinning at the HQ ASA, So that the branch VPN router can access the LAN and U-Turn accessing the Internet from the ASA.  You need first to seup NAT for the Branch router subnet on the ASA, second you need to type the command:

same-security-traffic permit intra-interface

Below is an excelent example for VPN client hairpining.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


2)  Can I access internet from BRANCH LAN through HQ LAN to INTERNET. Or  Can I access Internet from Branch LAN from PH Router directly while  access to VPN to HQ LAN ?

Yes , you can


  3)  In Branch Site , hard phone cannot work but soft phone on PC can call to HQ. Hard phone IP are same in Remote Network (172.16.1.0/24 ) . Is it problem ? how can I configure separately ?

You need to change your Voice VLAN subnet to be different than the HQ IP-Phone VOice VLAn Subnet, it should then be fine.

Regards,

Mohamed

View solution in original post

Highlighted

Hi Mohamed,

         Please advise me to configure voice vlan on remote site. Currently, we still use only soft phone and it's ok. but for hard phone, it's still not working.

CME in HQ, voice vlan2 is 172.16.1.0/24 and in branch site, should I assign voice vlan2 or other voice vlan ? You suggest me to assign different subnet with HQ vlan , so can i assing 172.16.1.192/29 in branch site, is it overwrite by HQ ? or can i assing other IP 172.16.3.0/24 for branch voice vlan?

How to configure to get dhcp ip for IP phone over VPN ?

Thanks & regard,

Chan