Pass all traffic over LAN to LAN VPN between IAD2435 and ASA 5510

Unanswered Question
Aug 26th, 2010

I have a remote site with an IAD 2435 router.  The corporate site has an ASA 5510.  I need to have all traffic from the remote site go over the VPN tunnel.  If it is bound for the Intenet, it then needs to go out the ASA.  If it needs to go into the corporate network, then the ASA needs to route it to the core router.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Atri Basu Thu, 08/26/2010 - 06:53

Hey Timothy,

It appears as though, your topology is as follows:

Internal Network| ------------------Router-----------------Internet--------------------ASA------------|Corporate

                                              ||    ==========vpn============





                                       Remote Site

And what you would like is for all traffic from the Remote Site that isn't destined for the "internal network" to be routed to the ASA through the VPN tunnel. Then is the traffic should either be forwarded to the Corporate network or back to the internet depending on the destination.

This can be done. On the router you need to do the following:

1. set up the routing on the router so that any traffic sourced from the Remote Site and not destined for the internal network used the VPN interface as the egress interface

2. Define the interesting traffic access-list(crypto acl) on the router for the VPN tunnel to the ASA to include traffice sourced from your Remote Site and destined to Any.

On the ASA you need to:

1. configure the interesting traffice access-list(crypto acl) on the ASA for the VPN tunnel to the router to include traffic sourced from ANY and destined  to the remote site.
2. configure U-turning for the VPN traffic that is not destined for the corporate network. You will find more information regarding configuring U-turning for VPN traffic at the folllowing link:

Let me know if this helps and if you have any further questions.



timothy.lewis Thu, 08/26/2010 - 09:00

The VPN endpoints are the ASA and IAD.  The internal network of the IAD is a single class C subnet of  The inside network of the ASA is a class B subnet of  Also there is a core router that has a few dozen point to point connections to other sites that needs to communicate with.  Additionally, if someone browses the web, that traffic needs to go across the VPN then go out the ASA to the Internet.

I've already completed step 2 for the router and both steps for the ASA.  For step 1 on the I don't have a VPN interface defined.  Can you give me a little more detail?


Atri Basu Thu, 08/26/2010 - 10:40

Hey Timothy,

I am not very sure how VPN  is configured on an IAD, but if it's like a router then you must have applied the crypto map to one of the interfaces, so in this case that would be the interface i was referring to as your VPN interface. You will need to set up source based routing on the IAD using route maps so that any traffice sourced from your remote network to the internal network goes out through the correct interface and all other traffic from the remote site goes out through the VPN interface, or the interface on which the crypto map is applied.



Atri Basu Thu, 08/26/2010 - 10:41

If you have already set this up and it's still not working then please attach the configurations from the two devices and specify all the networks involved, i.e. the remote site, the internal network, the corporate network, the public ip addresses of the ASA and the IAD.




This Discussion