Routing help

Unanswered Question
Apr 20th, 2008

Hello,


I've got a VPN connected between my head office and a small remote office. All works except the remote office can't get onto the internet.


I assume be default the internet traffic from the remote office will travel down the VPN. So I wondered what the next step is?


I have attached the configuratio of the remote offices Cisco 877. The 877 VPN's to a Cisco ASA 5520. The ASA is also the where the internet should be accessed by. The ASA's outside interface connects to our internet router.


On the ASA I have added on the inside a permit rule for 172.19.15.0/24 to any on http/https and UDP domain.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rick Morris Mon, 04/21/2008 - 05:48

In the config all I see for the tunnel access is:

access-list 101 remark SDM_ACL Category=20

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.21.0 0.0.0.255

access-list 101 permit ip 172.19.15.0 0.0.0.255 192.168.90.0 0.0.0.255


These are the only networks this tunnel is allowed to access.


crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 12345 address 80.71.16.66

!

!

crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac

!

crypto map MY_Crypto_Map 10 ipsec-isakmp

set peer 80.71.16.66

set security-association lifetime seconds 28800

set transform-set MY_T_Set

set pfs group5

match address 101 <---ACL to match


If you need the remote site to access other resources you will need to add it there I believe.

whiteford Mon, 04/21/2008 - 09:55

So will I have to remove my 3 subnets and replace with:


access-list 101 permit ip 172.19.15.0 0.0.0.255 any


I really just wanted those subnets and the internet over the tunnel.

Rick Morris Mon, 04/21/2008 - 10:12

One thing I would do is be very basic in the ACL to find out if that is the issue.


One way to do this would be to do as you suggest. This would take all traffic from that subnet and allow access to anything. If that works you can get more granular in the settings. One question, if the site has an internet connection, why have the internet traffic go through the tunnel then out the head office connection, why not split traffic. All business traffic to the office go through the tunnel and then all other traffic go out the internet?

whiteford Mon, 04/21/2008 - 10:43

I will try this and get back to you.


A couple of things though,


1.) How could I split the traffic just for my knowledge?


2.) Also my company requires all web traffic comes through our HQ's internet pipe so we can monitor users web traffic and block sites etc. I can't see how I can get more granular and I would need the "any" for the destination as they would need to get to any internet sites?


3.) I have Cisco Client VPN users coming into the ASA and they can access the Internet through the tunnel all I had to do was add a dynamic nat onto the outside interface of the ASA, does client VPN's work different to the site-to-site VPN's?

Actions

This Discussion