Re: l2l tunnel not able to access internet

kope · ‎04-06-2009

i have a lan-to-lan tunnel and works fine but users are not able to access internet. the crypto access list on my end (ASA) is as follows:

access-list outside_cryptomap extended permit ip 168.56.0.0 255.254.0.0 10.105.0.0 255.255.224.0

On other end:

access-list outside_cryptomap extended permit ip 10.105.0.0 255.255.224.0

168.56.0.0 255.254.0.0

There is NAT on this as:

global (outside)1 138.35.119.2

nat (outside) 1 10.105.0.0 255.255.224.0

In order to go to the internet,

Should the access-list looks like this?

with the "any" keyword?

On my end:

permit ip any 10.105.0.0 255.255.224.0

On other end:

permit ip 10.105.0.0 255.255.224.0

any

Am i looking at the right thing? I supposed everything has to go through the tunnel (not using split-tunnel); and therefore "any" should be used for user to go to internet?

RicheeJJJ_2 · ‎04-06-2009

The command:

access-list outside_cryptomap extended permit ip 10.105.0.0 255.255.224.0 168.56.0.0 255.254.0.0

indicates that traffic coming from the 10.105.0.0 network that is going to the 168.56.0.0 network will go over the VPN. If you don't have any other crypto map acl's then all other traffic will just go out the outside interface, provided you have a default route to the outside.