1. Test topology:
See also: Test topology for http://333234.blog.51cto.com/323234/958557
If there is a tunnel separation without configuring NAT exemption, you can refer to the following blog: http://blog.sina.com.cn/s/blog_52ddfea30100ux80.html
Site-to-site VPN from the headquarters ASA public Network configuration reference to the following links: http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet- hairpin-traffic/
2. Basic ideas:
A.same-security-traffic Permit Intra-interface
---because the branches from the headquarters of the Internet, traffic is only from the outside mouth of the ASA, so the opening of traffic phase with the security level of the same interface access
B. Pat on internal traffic for branch offices at Headquarters ASA
---Suppose the branch office 192.168.1.0/24
Object Network Vpnnet
Subnet 192.168.1.0 255.255.255.0
Nat (outside,outside) Dynamic interface
C. Because there is no tunnel separation configured, Nat exemption is also required
Object Network Insidenet
Subnet 10.1.1.0 255.255.255.0
Object Network Vpnnet
Subnet 192.168.1.0 255.255.255.0
Nat (Inside,outside) source static insidenet insidenet destination static vpnnet vpnnet
Or:
Nat (Inside,any) source static insidenet insidenet destination static vpnnet vpnnet
3. Basic configuration:
A.R1:
Interface fastethernet1/0
IP address 10.1.1.1 255.255.255.0
No shut
IP Route 0.0.0.0 0.0.0.0 10.1.1.10
B.R2:
Interface fastethernet1/0
IP address 202.100.1.2 255.255.255.0
No shut
Interface fastethernet0/0
IP address 209.165.201.2 255.255.255.0
No shut
Interface FASTETHERNET0/1
IP address 202.100.2.2 255.255.255.0
No shut