Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
6
Replies

site to site vpn on asa 5505 access internet

teymur azimov
Level 1
Level 1

‎06-13-2013 11:11 PM

Hi dears,

i configurated site to site vpn on cisco asa 5505.

site A: local ip: 172.30.0.0 /16

site B: local ip: 10.11.12.0/24

the vpn tunnel is working normal. i want the site B local subnet access internet from Site A internet. the 10.11.12.0 subnet access internet from Site A  ASA internet. this internet traffic must pass the vpn tunnel.

how i do this configuration? is this possibly?

Labels:
0 Helpful
6 Replies 6

Karsten Iwen
VIP
VIP

‎06-13-2013 11:37 PM

If it's just about surfing, I would place a proxy at site A and force the users in site B to use that proxy.

If you really want to sent all internet-traffic through the internet-Line of Site-A-ASA, then you have to extend your ASA in the following way:

- Crypto-ACL on Site B: permit ip 10.10.12.0 255.255.255.0 any

- Crypto-ACL on Site A: permit ip any 10.10.12.0 255.255.255.0

- configure NAT on the outside interface of ASA-A to NAT/PAT the traffic coming fom Site B when traveling to the internet.

The exact configuration depends on your actual config and also on the ASA-Version you are running.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

teymur azimov
Level 1
Level 1
In response to Karsten Iwen

‎06-13-2013 11:44 PM

thank you very much.

how i do nat stament?

must i write same-security-traffic permit intra-interface command?

do i need nonat?

0 Helpful

teymur azimov
Level 1
Level 1
In response to teymur azimov

‎06-13-2013 11:47 PM

do i neew nonat on asa a?

0 Helpful

Karsten Iwen
VIP
VIP
In response to teymur azimov

‎06-14-2013 12:15 AM 

how i do nat stament?

That depends on your config and version.

must i write same-security-traffic permit intra-interface command?

Yes, that's also needed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

teymur azimov
Level 1
Level 1
In response to Karsten Iwen

‎06-14-2013 12:18 AM

thanks.

i want to do nat the for  remote site local subnet (10.11.12.0)

my asa version 8.2

how i do that?

ASA A

int fa0/0

nameif outside

ip address 94.x.x.87 255.255.255.248

int fa0/1

nameif inside

ip address 172.30.40.0 255.255.255.0

0 Helpful

Abhishek Purohit
Level 1
Level 1
In response to teymur azimov

‎06-14-2013 07:36 AM

Hi,

For ASA 8.2, do the following

==============================

nat (outside) X 10.10.12.0 255.255.255.0   <===========  (Add this line)

gloabl (outside) X interface <--- This line is already present on the ASA A.

=============================

X = the number that you have mentioned in the global (outside) X interface.

Generally its "1".

You can check the number via

sh run nat | in global

Hope this helps.

Regards,
Abhishek Purohit
CCIE-S- 35269

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful
Customers Also Viewed These Support Documents