routing VPN IPsec - http traffic thru hq

Unanswered Question
Jul 8th, 2009

We have a client who would like their remote sites to send all http and other traffic through hq router.They also have applications such as inventory and sales using the same link to hq.

On the access-lists I have deny all traffic from been NATd on the remote site routers but to push into the tunnel. This is not helping and still dropping traffic on the hq router when I trace to the internet.

What would you suggest I playing with ?

site1-----hq------site2

Thanks in advance,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 07/08/2009 - 11:11

If you want ALL traffic to go from remote site to HQ, then your ipsec acl needs to allow all local traffic to any destination through the tunnel like:

crypto map VPN 5

match address 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

That would force anything from the local 192.168.1.0 subnet through the tunnel.

What devices are controlling the two end oints of the tunnel? Routers or ASA? Can you post configs and a topology?

HTH,

John

dialondemand Wed, 07/08/2009 - 12:21

Hello,

Thanks for your response. The end points of the tunnel are routers, in particular 1841 at central site and 851W for remote sites. I have tried as suggested but traffic drops at the gateway for hq router. What is the source address at the time the packet hits? hq or remote site public IP?

John Blakley Wed, 07/08/2009 - 12:36

If you want to allow absolutely all traffic through the tunnel, you can remove your nat configs on the remote router. Is there a firewall or anything that could be dropping the traffic on the HQ side?

You can also get rid of your route statements. When the ipsec tunnel is created, the "route" is what's allowed through the tunnel. So, here's what I would do in order:

1. Make a backup of your remote site router.

2. Remove nat configs from fa4, vlan1, and bvi1

3. remote ip nat inside x.x.x.x.x statement

4. remove route-map

Your tunnels will still come up when it sees that you need to go to the 192.168.1.0 subnet through your crypto map peer statement.

Also, I noticed that your acl on HQ is listed under one crypto map. Crypto acls should mirror each other, but you have:

HQ: 192.168.1.0 192.168.2.0

192.168.1.0 192.168.3.0

Since you're only using one crypto map, it's going to try to match these networks on BOTH of your remote routers. So, I would create another crypto map for just your two separate networks:

crypto map to-site1 10

set peer 41.222.x.3

match address site1

access-list site1 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto map to-site1 20

set peer 41.222.x.4

match address site2

access-list site2 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

The above would match the remote's crypto acl of "192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255" (but in reverse).

You'll still just have the one crypto map, but with different sequence numbers. If you decide to go with these changes, make sure you do them after hours because your tunnels will come down until the change is made.

One last thing, if you remove the nat config on the remote router and they decide it's too much traffic on HQ and want to revert back, you'll need to redo your nat configs again.

Remember *Make backups* :)

HTH,

John

Actions

This Discussion