Site-Site VPN, allow internet traffic through VPN

Unanswered Question
Sep 4th, 2008
User Badges:

I have configured Site-Site VPN tunnel between 2 ASA 5505 firewalls (from corporate to branch office).I Can ping both networks. I Would like to route internet traffic through VPN from Branch office to Corporate and would like to pass the traffic through ISA. We have ISA cofigured parallel to ASA 5505 at corporate network. Is it possible?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
singhsaju Thu, 09/04/2008 - 05:54
User Badges:
  • Silver, 250 points or more


Yes it is possible. Can you ping your ISA server ? If yes , then you do not need to change anything on VPN devices. Just configure Internet browser for ISA server.It should work.



psireeshap Fri, 09/05/2008 - 01:31
User Badges:

Thank you, but we would like to route all the traffic through VPN, is it possible?

acomiskey Fri, 09/05/2008 - 05:30
User Badges:
  • Green, 3000 points or more

Yes, just add all traffic to the interesting traffic and nat 0 acl. If x.x.x.x/24 is the network you wish to tunnel then...

access-list extended permit ip x.x.x.x any

access-list extended permit ip x.x.x.x any

This will force all traffic from your networks over the tunnel. You will also need to add the mirror of the first acl on the other end.

access-list extended permit ip any x.x.x.x

bluecrescentmoon Fri, 09/05/2008 - 06:07
User Badges:

Thanks for the information all!

But, I forgot to add that I have the access list as well as the crypto maps defined. If I didn't have this, I could not set up the tunnel. Also, I could not ping my workstation from another workstation within the ASA network.

My only problem is that from the ASA CLI, I cannot tftp to my workstation within the fortigate network.

Other than that, communication between devices within both networks can communicate with one another through the tunnel.

So, is there a special command or configuration I need to have in order to tftp from the ASA to network device outside the ASA's network?

Thanks in advance again

acomiskey Fri, 09/05/2008 - 06:14
User Badges:
  • Green, 3000 points or more

Answered in your other post.

bluecrescentmoon Fri, 09/05/2008 - 06:14
User Badges:

Hi All,

I just found it. In the configuration mode, you have to use the tftp-server command to configure an explicit device to tftp.

Thank you all for your advice!

psireeshap Sun, 09/07/2008 - 23:24
User Badges:

Thanks, but is there any way to specify all the traffic through VPN, irespective of networks,as We do not want to specify the ISA as proxy in internet explorer in remote location


This Discussion