cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2543
Views
5
Helpful
2
Replies

Route all traffic thru ipsec VTI

tglidewell
Level 1
Level 1

I currently have a remote site.  That site (Cisco 881) has an ipsec VTI connection back to my main office (Cisco 3845) passing thru an ASA5510.  Everything on the tunnel between sites works great.  But because we implement Internet filtering via the ASA5510, I want all traffic to be sent over the VTI tunnel, and out on the internet thru the ASA.  881 config is attached.

Remote Site 881 ---> ipsec VTI ---> 3845 ---> ASA ---> Internet

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

I believe that you will achieve your objective of having all traffic sent through the tunnel if you change your default route. Now it is:

ip route 0.0.0.0 0.0.0.0 192.168.15.1 which uses FastEthernet4.

Change it so that it uses Tunnel0

ip route 0.0.0.0 0.0.0.0 Tunnel0

or alternatively so that it uses the next hop address through the tunnel

ip route 0.0.0.0 0.0.0.0 10.10.10.1

When you make this change it should create a problem of recursive routing since the address of the tunnel endpoint will appear to be reachable through the tunnel itself. So before you make the change that I suggest I believe that you should first configure a static route for the tunnel endpoint. It might look something like:

ip route x.x.x.x 255.255.255.255 192.168.15.1

Give it a try and let us know how it works.

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

I believe that you will achieve your objective of having all traffic sent through the tunnel if you change your default route. Now it is:

ip route 0.0.0.0 0.0.0.0 192.168.15.1 which uses FastEthernet4.

Change it so that it uses Tunnel0

ip route 0.0.0.0 0.0.0.0 Tunnel0

or alternatively so that it uses the next hop address through the tunnel

ip route 0.0.0.0 0.0.0.0 10.10.10.1

When you make this change it should create a problem of recursive routing since the address of the tunnel endpoint will appear to be reachable through the tunnel itself. So before you make the change that I suggest I believe that you should first configure a static route for the tunnel endpoint. It might look something like:

ip route x.x.x.x 255.255.255.255 192.168.15.1

Give it a try and let us know how it works.

HTH

Rick

HTH

Rick

I have exactly the same scenario, I applied your solution, I can ping and traceroute a website and I see in the hops that it's going through my remote internet router. However, If I try to open a webpage on a browser, nothing happens...

 

Any suggestion?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco