Site-Site VPN, allow internet traffic through VPN

Unanswered Question
Sep 4th, 2008

I have configured Site-Site VPN tunnel between 2 ASA 5505 firewalls (from corporate to branch office).I Can ping both networks. I Would like to route internet traffic through VPN from Branch office to Corporate and would like to pass the traffic through ISA. We have ISA cofigured parallel to ASA 5505 at corporate network. Is it possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
singhsaju Thu, 09/04/2008 - 05:54


Yes it is possible. Can you ping your ISA server ? If yes , then you do not need to change anything on VPN devices. Just configure Internet browser for ISA server.It should work.



psireeshap Fri, 09/05/2008 - 01:31

Thank you, but we would like to route all the traffic through VPN, is it possible?

acomiskey Fri, 09/05/2008 - 05:30

Yes, just add all traffic to the interesting traffic and nat 0 acl. If x.x.x.x/24 is the network you wish to tunnel then...

access-list extended permit ip x.x.x.x any

access-list extended permit ip x.x.x.x any

This will force all traffic from your networks over the tunnel. You will also need to add the mirror of the first acl on the other end.

access-list extended permit ip any x.x.x.x

bluecrescentmoon Fri, 09/05/2008 - 06:07

Thanks for the information all!

But, I forgot to add that I have the access list as well as the crypto maps defined. If I didn't have this, I could not set up the tunnel. Also, I could not ping my workstation from another workstation within the ASA network.

My only problem is that from the ASA CLI, I cannot tftp to my workstation within the fortigate network.

Other than that, communication between devices within both networks can communicate with one another through the tunnel.

So, is there a special command or configuration I need to have in order to tftp from the ASA to network device outside the ASA's network?

Thanks in advance again

bluecrescentmoon Fri, 09/05/2008 - 06:14

Hi All,

I just found it. In the configuration mode, you have to use the tftp-server command to configure an explicit device to tftp.

Thank you all for your advice!

psireeshap Sun, 09/07/2008 - 23:24

Thanks, but is there any way to specify all the traffic through VPN, irespective of networks,as We do not want to specify the ISA as proxy in internet explorer in remote location


This Discussion