Asa8.42ezvpn no tunnel segmentation access to public network testing from Headquarters

1. Test topology:

See also: Test topology for http://333234.blog.51cto.com/323234/958557

If there is a tunnel separation without configuring NAT exemption, you can refer to the following blog: http://blog.sina.com.cn/s/blog_52ddfea30100ux80.html

Site-to-site VPN from the headquarters ASA public Network configuration reference to the following links: http://www.packetu.com/2013/04/02/cisco-asa-8-4-vpn-dealing-with-internet- hairpin-traffic/

2. Basic ideas:

A.same-security-traffic Permit Intra-interface

---because the branches from the headquarters of the Internet, traffic is only from the outside mouth of the ASA, so the opening of traffic phase with the security level of the same interface access

B. Pat on internal traffic for branch offices at Headquarters ASA

---Suppose the branch office 192.168.1.0/24

Object Network Vpnnet

Subnet 192.168.1.0 255.255.255.0

Nat (outside,outside) Dynamic interface

C. Because there is no tunnel separation configured, Nat exemption is also required

Object Network Insidenet

Subnet 10.1.1.0 255.255.255.0

Object Network Vpnnet

Subnet 192.168.1.0 255.255.255.0

Nat (Inside,outside) source static insidenet insidenet destination static vpnnet vpnnet

Or:

Nat (Inside,any) source static insidenet insidenet destination static vpnnet vpnnet

3. Basic configuration:

A.R1:

Interface fastethernet1/0

IP address 10.1.1.1 255.255.255.0

No shut

IP Route 0.0.0.0 0.0.0.0 10.1.1.10

B.R2:

Interface fastethernet1/0

IP address 202.100.1.2 255.255.255.0

No shut

Interface fastethernet0/0

IP address 209.165.201.2 255.255.255.0

No shut

Interface FASTETHERNET0/1

IP address 202.100.2.2 255.255.255.0

No shut