08-26-2010 06:22 AM
I have a remote site with an IAD 2435 router. The corporate site has an ASA 5510. I need to have all traffic from the remote site go over the VPN tunnel. If it is bound for the Intenet, it then needs to go out the ASA. If it needs to go into the corporate network, then the ASA needs to route it to the core router.
08-26-2010 06:53 AM
Hey Timothy,
It appears as though, your topology is as follows:
Internal Network| ------------------Router-----------------Internet--------------------ASA------------|Corporate
|| ==========vpn============
||
vpn
||
------------------
Remote Site
And what you would like is for all traffic from the Remote Site that isn't destined for the "internal network" to be routed to the ASA through the VPN tunnel. Then is the traffic should either be forwarded to the Corporate network or back to the internet depending on the destination.
This can be done. On the router you need to do the following:
1. set up the routing on the router so that any traffic sourced from the Remote Site and not destined for the internal network used the VPN interface as the egress interface
2. Define the interesting traffic access-list(crypto acl) on the router for the VPN tunnel to the ASA to include traffice sourced from your Remote Site and destined to Any.
On the ASA you need to:
1. configure the interesting traffice access-list(crypto acl) on the ASA for the VPN tunnel to the router to include traffic sourced from ANY and destined to the remote site.
2. configure U-turning for the VPN traffic that is not destined for the corporate network. You will find more information regarding configuring U-turning for VPN traffic at the folllowing link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml#conf
Let me know if this helps and if you have any further questions.
Regards,
Atri
08-26-2010 09:00 AM
The VPN endpoints are the ASA and IAD. The internal network of the IAD is a single class C subnet of 10.11.58.0. The inside network of the ASA is a class B subnet of 128.127.0.0. Also there is a core router that has a few dozen point to point connections to other sites that 10.11.58.0 needs to communicate with. Additionally, if someone browses the web, that traffic needs to go across the VPN then go out the ASA to the Internet.
I've already completed step 2 for the router and both steps for the ASA. For step 1 on the I don't have a VPN interface defined. Can you give me a little more detail?
|
08-26-2010 10:40 AM
Hey Timothy,
I am not very sure how VPN is configured on an IAD, but if it's like a router then you must have applied the crypto map to one of the interfaces, so in this case that would be the interface i was referring to as your VPN interface. You will need to set up source based routing on the IAD using route maps so that any traffice sourced from your remote network to the internal network goes out through the correct interface and all other traffic from the remote site goes out through the VPN interface, or the interface on which the crypto map is applied.
Regards,
Atri.
08-26-2010 10:41 AM
If you have already set this up and it's still not working then please attach the configurations from the two devices and specify all the networks involved, i.e. the remote site, the internal network, the corporate network, the public ip addresses of the ASA and the IAD.
Regards,
Atri
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide