Site to site VPN - Spoke Internet access through Hub site

gizbri · ‎12-16-2010

I established a site to site VPN between Hub (5520) and spoke (5505), now I want the user in the spoke site to access the Internet through the 5520. On the 5505 I have the crypto map set for inside traffic to any and on the 5520 added a nat statement for the 5505 subnet for the outside..... what am i missing ??

rahgovin · ‎12-16-2010

same-security permit intra interface. Coz traffic is entering and exiting on the same interface.

gizbri · ‎12-16-2010

no, sorry I left that out. The VPN tunnel is established through a WAN connection, like this:

5505 ------ > WAN -------- 5520 ----------- Internet

rahgovin · ‎12-16-2010

What are the nat configs on the hub ASA?Could you post them here. Can you see a nat translation for hosts behind the 5505?

gizbri · ‎12-16-2010

file attached -

rahgovin · ‎12-16-2010

Is the crypto acl on the 5520 from any to 5505 subnet? What does the show cry ips sa show on both devices? equal encaps and decaps.

And post the 5520 config if possible. Also check for logs on 5520.

gizbri · ‎12-17-2010

Attached is the 5520 - I inherited this a week or so ago .... There are 2 other site to site vpn networks (10.65.37.0 and 10.65.36.0) that access the Internet from the 5520. I am having a bit of difficulty understand the rules that allow this , could you explain ?

Thanks

Brian