Allow Internet from remote site -site VPN through ASA at Corp office

Unanswered Question
Jan 25th, 2008

We have a client that is currently using PIX 506E at the Main office and at several sites doing site-to-site VPN. All of the users at the Remote sites access the Internet through the Main site, this is currently being handled by a Linux firewall. The client would like to retire the Linux firewall and just use one firewall for the VPNs and Internet access, along with potential URL filtering at the Main office. Is this support configuration on an ASA?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Fri, 01/25/2008 - 12:59

I think this should be possible with the ASA using the permit intra interface command.

What you need is to tunnel all traffic from the remote locations to the ASA and then configure permit intra interface and then have the ASA NAT to a valid routable IP for internet access. And then use Websense or N2H2 to do content filtering.

Please refer the below URL, even though this is for VPN Client, I am sure that you can apply the same concept to the L2L Tunnel as well.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

But, I would strongly recommend that you get a ASA if possible and test it thoroughly before migrating over. if you are interested, you may want to look at the new ASA 5580 :-)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

Happy Testing.

Regards,

Arul

** Please rate all helpful posts **

cisco24x7 Sun, 01/27/2008 - 11:52

Keep in mind the following information:

1- At the remote site, you need to specify

the following as your intesting traffics.

For example, let say your remote location

has a network of 10.1.1.0/24:

access-list IPSEC permit ip 10.1.1.0 255.255.255.0 any

crypto map ipsec 10 match IPSEC

This will allow traffics from the remote

location to be encrypted when going to the

CORP ASA. This configuration will go to ALL

remote location devices.

By the way, I described this on

another similar post not too long ago.

If you search for cisco24x7, you will see

that post.

CCIE Security

Actions

This Discussion