cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1716
Views
0
Helpful
9
Replies

ASA 5505 Routing

ICT-Support
Level 1
Level 1

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

ICT-Support wrote:

All,

I've successfully managed to establish a site-to-site VPN using my new ASA device, however I was wondering how I could configure it so that all Internet traffic (0.0.0.0) is sent down the VPN connection and out our main office firewall (at peer end)? This will allow us to control the traffic sent out from the machines behind the ASA.

Regards,

Simon.

Simon

Simply modify your crypto map entry for the site to site VPN to catch all traffic ie.

access-list crypto permit ip

Jon

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

ICT-Support wrote:

Like this, or on my no-nat access-list?

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

Regards,

Simon.

Simon

Both if you don't want to NAT any of the VPN traffic but i was referring to the crypto map access-list.

Jon

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

You could configure default route with the tunneled option.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html

#wp1793355

route outside 0.0.0.0 0.0.0.0 tunneled

Then you also need to change your crypto maps accordingly.

Hope this helps.

Regards,

NT

Apologise if this is a stupid question, but currently I have:

route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway.

I understand the above is required so the ASA can talk to the Internet and establish the site-to-site connection.

To force the Internet browsing down the VPN tunnel would I need an additional "route outside 0.0.0.0 0.0.0.0 X.X.X.X tunneled" command? If so, what would the gateway IP be, the remote peer's Internal gateway, or the local ASA internal gateway?

Regards,

Simon.

I've added "any" to my crypto map and nat rule, I've also got: route outside 0.0.0.0 0.0.0.0 83.X.X.X 1 which is my ISP gateway, but it's not sending internet traffic down the VPN tunnel. Does anyone know why?

Simon.

If i tracert www.google.co.uk it tries to go out the public IP of the CISCO, however I would like it to route through the remote peer's internal IP. If I try and route inside 0.0.0.0 nothing happens, but if I try route outside 0.0.0.0 tunneled i cannot then even access my remote VPN network. Has anyone got any ideas how to get this to work?

Still no joy, does anyone have any ideas?

Got some more info, ran a packet trace and get this:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_in in interface inside
access-list acl_in extended permit ip 10.0.x.x 255.x.x.x any log
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.0.X.X 255.X.X.X outside any
NAT exempt
translate_hits = 296, untranslate_hits = 3
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So by my guessing it's not encrypting the packets, any idea why?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: