Solved: Site to Site VPN.

ddevecka · ‎01-17-2009

I have a site to site VPN set up and working, but I don't want it to split tunnel. Which it does right now. I want all traffic including the remote side of the Site to Site VPN to surf via us and our content filter. Here is the far side ACL's which I think is where my problems are. I don't do this enough to know so I figure I would ask.

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0 192.168.101.0 255.255.255.0

Thanks,

Dan

Ivan Martinon · ‎01-19-2009

Yep, config looks good, on a side note, if your main site is an ASA you might need to have a nat rule to bring those sites to the internet something like:

nat (outside) X 192.168.152.0 255.255.255.0

global (outside) X interface

And you need the correct same security traffic definition in place:

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

View solution in original post

Ivan Martinon · ‎01-19-2009

Excellent! be sure to rate this post.

View solution in original post

Ivan Martinon · ‎01-19-2009

Dan,

Tipically Lan to Lan conections are intended for specific traffic to go through the tunnel, in your case since you need to encrypt all traffic from one side to the other, what you need to do is to change your match address statements to accomplish this.

From your remote side you would do something like:

access-list outside.. permit ip any

and your central side should have the mirrored acl to the one above:

access-list outside.. permit ip any

You need to be careful when applying this since all traffic behind this remote peer will then start flowing through the tunnel and if internet has not been confirmed to be working via this method you will bring them down.

ddevecka · ‎01-19-2009

I have changed the access-list to the following on the remote side.

access-list outside... extended permit ip 192.168.152.0 255.255.255.0 any

then the central side I need to add

(Access-list from central side) this still isn't working unless I added it to the wrong part of the ACL.

access-list 100 extended permit ip 192.168.0.0 255.255.255.0 10.100.101.0 255.255.255.128

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 10.100.101.0 255.255.255.128

access-list 100 extended permit ip 172.16.0.0 255.255.255.0 10.100.101.0 255.255.255.128

access-list 100 extended permit ip 192.168.100.0 255.255.255.0 10.100.101.0 255.255.255.128

access-list 100 extended permit ip 192.168.200.0 255.255.255.0 10.100.101.0 255.255.255.128

access-list 101 extended permit ip any 10.100.101.0 255.255.255.0

access-list 101 extended permit ip any 192.168.152.0 255.255.255.0

The 10.100.101.0 is used for remote access VPN and those do in fact push all traffic thru the tunnel and our filters.

Thanks for your help. Let me know if I missed anything.

Dan

Ivan Martinon · ‎01-19-2009

Hi Dan,

You also need to use the same kind of setup for your NONAT policy, if this is an ASA/Pix you would need that for your nat (inside) 0 .... acl policy the remote end needs this setup as well. Pretty much you will configure the vpn tunnel normally what will change is the traffic definition, instead of being from specific subnet to specific subnet it will be from specific subnet to any so you need to match all policies accordingly.

ddevecka · ‎01-19-2009

Sorry I am a bit of a newbie here, well actually don't do this very often and then I forget.

These are ASA's.

So now my ACL's on the remote end look like this, and the NAT 0 looks like the following as well.

access-list outside_1_cryptomap extended permit ip 192.168.152.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 192.168.152.0 255.255.255.0any

nat (inside) 0 access-list inside_nat0_outbound

And the ACL and NAT 0 have these entries.

Access-list 100 extended permit ip any 192.168.152.0 255.255.255.0

Access-list 101 extended permit ip any 192.168.152.0 255.255.255.0

Nat (inside) 0 access-list 101

Thanks Again,

Dan

Ivan Martinon · ‎01-19-2009

That is ok, you can test by pinging anywhere on the internet from behind of the remote end ASA, and get the show crypto ipsec sa from both ends see if the SA is created

ddevecka · ‎01-19-2009

I will test this tonight and let a note as to whether it worked or not, but the configs look correct? Atlest from the ACL side.

Thanks, Dan

Ivan Martinon · ‎01-19-2009