A. Test topology:
Two. Test ideas:
A. Headquarters ASA does not configure the tunnel separation, branch office all traffic to go VPN
B. Headquarters ASA configuration NAT Allow Branch segment pat on public net
----Because the branch traffic will bounce traffic from the outside interface, you need to configure Same-security-traffic permit Intra-interface
Three. Basic configuration:
A.inside Router:
Interface ethernet0/0
IP address 10.1.1.2 255.255.255.0
No shutdown
IP Route 0.0.0.0 0.0.0.0 10.1.1.1
b.center_asa842 Firewall:
Interface GigabitEthernet0
Nameif inside
Security-level 100
IP address 10.1.1.1 255.255.255.0
Interface GigabitEthernet1
Nameif outside
Security-level 0
IP address 202.100.1.1 255.255.255.0
Route outside 0.0.0.0 0.0.0.0 202.100.1.10
Access-list outside extended permit ICMP any any
Access-group outside in interface outside
C.internet Router:
Interface Loopback0
IP address 61.1.1.1 255.255.255.0
Interface ethernet0/0
IP address 202.100.1.10 255.255.255.0
No shutdown
Interface ETHERNET0/1
IP address 202.100.2.10 255.255.255.0
No shutdown