You cannot build a VPN link from internal LAN IP to internal LAN IP on ASAs. The tunnel is setup to communicate via the outside WAN IP address. From there, an encryption domain access list is configured to say which networks are allowed to communicate through the tunnel. You then setup an access list for NAT exemption that is identical to the encryption domain so the ASA does not try to NAT to that network and send it out to the internet so it knows to go through the tunnel. The ASAs routing table is very simple. You can only have one default route (0.0.0.0 with a mask of 0.0.0.0) so with that route being used to communicate with the ISP you cannot also use that route to send traffic across the tunnel to go out the internet.
As far as I know from what I've seen and researched what you are describing is not possible, with an ASA at least. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Thursday, May 21, 2009 1:09 PM To: NT System Admin Issues Subject: Re: Cheap/Free Simple Web Proxy Server? On Thu, May 21, 2009 at 1:45 PM, N Parr <[email protected]> wrote: > So the remote gateway of the ASA has to be the ISP's gateway in order > to find the main office. The ASA itself will need to have its default route by the ISP, yes. But not the VPN tunnel. I've never used an ASA, but I assume you can configure the VPN such that it provides a point-to-point link between the ASA's LAN interface at the remote site, and whatever you have at HQ. Configure the firewall or routing tables or whatever so that the LAN interface doesn't forward traffic between the LAN and the public interface. Just give it routes to the local site networks, and a default route to gateway to HQ. Then configure everything on the LAN to use the ASA as the default gateway. Now all traffic from the LAN to anywhere goes to the ASA, which forwards it through the VPN to HQ. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
