ASA 5505 Routing

Unanswered Question
Aug 5th, 2010

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 08/05/2010 - 08:52

ICT-Support wrote:

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

Simon

Simply modify your crypto map entry for the site to site VPN to catch all traffic ie.

access-list crypto permit ip

Jon

ICT-Support Thu, 08/05/2010 - 09:16

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

Jon Marshall Thu, 08/05/2010 - 09:29

ICT-Support wrote:

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

Simon

Both if you don't want to NAT any of the VPN traffic but i was referring to the crypto map access-list.

Jon

ICT-Support Fri, 08/06/2010 - 05:10

Apologise if this is a stupid question, but currently I have:

route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway.

I understand the above is required so the ASA can talk to the Internet and establish the site-to-site connection.

To force the Internet browsing down the VPN tunnel would I need an additional "route outside 0.0.0.0 0.0.0.0 X.X.X.X tunneled" command? If so, what would the gateway IP be, the remote peer's Internal gateway, or the local ASA internal gateway?

Regards,

Simon.

ICT-Support Mon, 08/09/2010 - 08:03

I've added "any" to my crypto map and nat rule, I've also got: route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway, but it's not sending internet traffic down the VPN tunnel. Does anyone know why?

Simon.

ICT-Support Tue, 08/10/2010 - 01:32

If i tracert www.google.co.uk it tries to go out the public IP of the CISCO, however I would like it to route through the remote peer's internal IP. If I try and route inside 0.0.0.0 nothing happens, but if I try route outside 0.0.0.0 tunneled i cannot then even access my remote VPN network. Has anyone got any ideas how to get this to work?

ICT-Support Wed, 08/11/2010 - 04:01

Got some more info, ran a packet trace and get this:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.x.x 255.x.x.x any log
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.X.X 255.X.X.X outside any
NAT exempt
translate_hits = 296, untranslate_hits = 3
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So by my guessing it's not encrypting the packets, any idea why?

Actions

This Discussion