Hub/Spoke Forcing Spoke Internet Traffic thru Tunnel?

Unanswered Question
Jul 17th, 2008

I am having some trouble getting this tested in the lab. Essentially I have two PIX 506e setup, one pretending to be the hub, and the other a spoke (outside interfaces on the same network) with a working tunnel between them. I could ping across them without problem (to hosts on each of their internal networks). So I then wanted to tackle the forcing of all traffic from the spoke to the hub, where I'll eventually integrate some traffic monitoring which we don't want to replicate at the spoke site. To do this I changed up the access-list for the tunnel to essentially say src spoke_net to any (and the reverse on the other side). Trouble is it isn't working. I have a feeling traffic from the spoke is going across the tunnel as I can capture IP ESP traffic on the outside interface when pinging IPs on the outside network. Could this be a nat issue, routing issue, or impossible? Any help is appreciated. I've attached configs for both the Hub and Spoke.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Thu, 07/17/2008 - 13:47

I wish I could upload the attachments... but I keep getting a servlet error from the forums.

Anonymous (not verified) Thu, 07/17/2008 - 13:52

jt3rry Thu, 07/24/2008 - 09:42

The trouble you will have is the firewall needs a default-route and it will want to send internet requests to its DG. I know for sure this setup can be done using routers running VRF (Policy-Based Routing should also work). See my attached diagram & configs. Can you get your hands on a pair of ASAs? I believe PBR was added or will be in a future release.

Attachment: 
jt3rry Thu, 07/24/2008 - 09:45

actually the diagram shows PBR... but you get the idea. Let me know if you have any questions on the VRF & GRE setup

Actions

This Discussion