08-05-2010 08:43 AM
All,
I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.
Regards,
Simon.
08-05-2010 08:52 AM
ICT-Support wrote:
All,
I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.
Regards,
Simon.
Simon
Simply modify your crypto map entry for the site to site VPN to catch all traffic ie.
access-list crypto permit ip
Jon
08-05-2010 09:16 AM
Like this, or on my no-nat access-list?
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
Regards,
Simon.
08-05-2010 09:29 AM
ICT-Support wrote:
Like this, or on my no-nat access-list?
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
Regards,
Simon.
Simon
Both if you don't want to NAT any of the VPN traffic but i was referring to the crypto map access-list.
Jon
08-05-2010 09:10 AM
Hello,
You could configure default route with the tunneled option.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html
#wp1793355
route outside 0.0.0.0 0.0.0.0 tunneled
Then you also need to change your crypto maps accordingly.
Hope this helps.
Regards,
NT
08-06-2010 05:10 AM
Apologise if this is a stupid question, but currently I have:
route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway.
I understand the above is required so the ASA can talk to the Internet and establish the site-to-site connection.
To force the Internet browsing down the VPN tunnel would I need an additional "route outside 0.0.0.0 0.0.0.0 X.X.X.X tunneled" command? If so, what would the gateway IP be, the remote peer's Internal gateway, or the local ASA internal gateway?
Regards,
Simon.
08-09-2010 08:03 AM
I've added "any" to my crypto map and nat rule, I've also got: route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway, but it's not sending internet traffic down the VPN tunnel. Does anyone know why?
Simon.
08-10-2010 01:32 AM
If i tracert www.google.co.uk it tries to go out the public IP of the CISCO, however I would like it to route through the remote peer's internal IP. If I try and route inside 0.0.0.0 nothing happens, but if I try route outside 0.0.0.0 tunneled i cannot then even access my remote VPN network. Has anyone got any ideas how to get this to work?
08-10-2010 08:30 AM
Still no joy, does anyone have any ideas?
08-11-2010 04:01 AM
Got some more info, ran a packet trace and get this:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.x.x 255.x.x.x any log
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.X.X 255.X.X.X outside any
NAT exempt
translate_hits = 296, untranslate_hits = 3
Additional Information:
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So by my guessing it's not encrypting the packets, any idea why?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide