Hi Antonio,
Let me jump in on this question. I don’t have a complete walkthrough, but I do have a config for an HQ and BRANCH ASA that probably achieve what you are looking for:
hostname HQ
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.123.1 255.255.255.0
!
same-security-traffic permit intra-interface
!
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list LAN1_LAN2 extended permit ip any4 host 192.168.2.2
!
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2
!
object network LAN1
nat (INSIDE,OUTSIDE) dynamic interface
object network LAN2
nat (OUTSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.3 1
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.2 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
protocol esp encryption aes
protocol esp integrity sha-1
!
crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.2
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.2 type ipsec-l2l
tunnel-group 192.168.123.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
: endhostname BRANCH1
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.123.2 255.255.255.0
!
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list LAN2_LAN1 extended permit ip host 192.168.2.2 any4
!
nat (INSIDE,OUTSIDE) source static LAN2 LAN2 destination static LAN1 LAN1
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
protocol esp encryption aes
protocol esp integrity sha-1
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.1
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!What this does:
- Traffic from devices behind HQ to the Internet are natted to the IP address on the outside interface.
- IKEv2 site-to-site IPSec VPN between HQ and BRANCH1. HQ uses the VPN to reach 192.168.2.0/24 behind BRANCH1, while BRANCH1 sends all traffic through the VPN to HQ.
- Traffic between the subnets behind HQ and BRANCH1 through the VPN is not translated with NAT.
- Traffic from behind BRANCH1 through the VPN to HQ, towards the Internet is translated with NAT using the outside interface of HQ.
Some key things in this config that you need:
-
same-security-traffic permit intra-interface: you need this command to tell HQ to translate traffic that arrives on the outside interface and exits the outside interface (VPN traffic from BRANCH1). -
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2: this is a “no nat” rule to tell HQ not to translate traffic between the private subnets.
About your default proxy, where do you configure this? Are these windows hosts? This isn’t something you configure on your ASAs.
Hope this helps! If you have questions about this setup, let me know 
Rene